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Abstract 

We present a programming language EoA, which embodies what Reynolds 
has described as the "essence of Algol." In particular, EoA allows higher-order 
procedures and the declaration of block structured local variables. We develop 
a Plotkin-style Structured Operational Semantics for EoA. We present Tennent 
had developed a denotational model which aims to capture the semantics of 
stack allocated local variables. Tennent's denotational model for EoA, which, 
although not fully-abstract, appears to be the best model of block structure 
developed to this date. Tennent's model is based a category of functors from a 
collection of store shapes (possible worlds) to the category of bottomless epos. 
The model is based on ideas pioneered in the early 1980's by Reynolds and Oles. 
The main result of this thesis is to prove that Tennent's model is adequate for 
EoA. We then abstract away some of the details of Tennent's model and state 
sufficient conditions for a functor category to be adequate for EoA. This thesis 
concludes with a comparison of the best known models of block structure, and 
discusses where Tennent's model fails to reach full abstraction. 

Keywords: Algol, operational semantics, denotational semantics, adequate, 
fully abstract 
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Chapter 1 

Introduction 



The goal of this thesis is to present a language which embodies many of the 
essential features of an a ALGOL-like language which we call EoA. The language 
EoA is a minor variant of Reynolds's "essence of Algol[20]". In Chapter 2 we 
define the syntax of EoA and develop a Plotkin-style Structured Operational 
Semantics for EoA [19]. In Chapter 3 we present Tennent's denotational se- 
mantics for EoA [12-14,24,25], which, although not fully-abstract, appears to 
be the best semantics of EoA developed to this date. Tennent's model is based 
on ideas pioneered in the early 1980's by Reynolds and Oles [15-17,21]. The 
model uses the category of functors from a collection of store shapes (possible 
worlds) to the category of bottomless cpo's. Chapter 4 contains the main tech- 
nical result of this thesis — a proof that Tennent's model is adequate for EoA. 
We then abstract away some of the details of Tennent's model and state some 
sufficient conditions for a functor category model to be adequate for EoA. Chap- 
ter 5 includes a discussion of how the Tennent model handles the Meyer-Sieber 
Examples [9], and discusses two counterexamples to full abstraction. 

The remainder of this Chapter provides a general description of the criteria 
for "ALGOL-like languages" and presents a quick overview of Reynolds's "essence 
of Algol." 



1.1 ALGOL-like Languages 

We follow the work of Reynolds [20] and Halpern, Meyer and Trakhtenbrot [4, 26] 
in taking the following four principles as characterizing the class of ALGOL-like 
languages: 

1. There is a consistent distinction between commands (or pro- 
grams) which alter the store but do not return values, and ex- 
pressions which return values but have no side-effects on the 
store. 



2. The only explicit calling mechanism is by-name. (For parame- 
ters of basic data types, other mechanisms such as by-value or 
by-reference are available by simulation (syntactic sugaring).) 

3. The language is fully typed. Higher-order procedures of all 
finite types (in Algol jargon, modes) are allowed. There is a 
clear distinction between locations and storable values. 

4. The stack discipline is an explicit aspect of the semantics. Note 
that this discipline should be understood as a language de- 
sign principle encouraging modularity in program construction 
rather than as an implementation technique for efficient storage 
management. It is better called the local storage discipline to 
avoid misunderstanding, and we do so henceforth. 

— Trakhtenbrot, Halpern, and Meyer[26] 

1.2 Reynolds's "Essence of Algol" 

A key observation embodied in Reynolds's essence of Algol is that Algol is 
essentially a simply-typed functional language. With a careful understanding 
of types and call-by-name as the only built in parameter-passing mechanism, 
we can see that /^-equivalence is a sound reasoning principle for Algol! Con- 
sequently, the kernel syntax of Reynolds's essence of Algol is a simply typed 
A-calculus over the appropriate base types and constants required to capture the 
imperative features of Algol. Although the only parameter passing mechanism 
explicitly present in the essence of Algol is call-by-name, the mechanisms of 
call-by-value and call-by-reference for storable data types can easily be simu- 
lated. 

1.2.1 Imperative Types 

To understand Reynolds's essence of Algol, we must understand his view of 
imperative types. Since the local storage discipline is essentially incompatible 
with storing state-dependent objects, there is a clear distinction between data 
and phrase types. Essentially, data types are those primitive entities which we 
can "store" (i.e. those which are kept track of in the state), whereas phrase 
types are the types which code can take on. Some examples of plausible data 
types are real, integer, and boolean. Some examples of plausible phrase types are 
real thunks, integer thunks, and commands. For an ALGOL-like language, the 
data types are "state independent," whereas all of the phrase types implicitly 
involve the state in some way. 

For each data type, there corresponds a phrase type for talking about such 
values. Reynolds takes as primitive data types: real, integer, and boolean, so 
the base phrase types corresponding to these basic data types are: exp[real], 



exp[integer], and exp[boolean]. For example, an object of type exp[real] is a 
"real exp(ressor)" — something which manages to read a real from the state. 
From the point of view of this thesis and in spite of our suggestive notation, 
exp[ • ] is not to be considered a general type constructor. Code can not take on 
the type integer. Code takes on the type exp[integer]. From the point of view 
of programming in "essence of Algol," the phrase type integer does not exist. 
All "expressions" in an imperative language have an implicit ability to depend 
on the state. It would be possible to augment our collection of phrase types 
by a type which corresponded to "pure" (state-independent) integers. Most 
code, however, is actually written to expect the more general (state-dependent) 
expressions. Moreover, since expressions are side-effect free, there seems to be 
little motivation to make a distinction between the integer "5" and the thunk 
"5" which in any state evaluates to the integer 5. 

Another base phrase type is comm. We have already noted that a funda- 
mental criterion for being an "ALGOL-like language," is that expressions return 
values, but do not have side-effects on the state. All side-effects are restricted 
to occur at the type comm. Terms of type comm correspond to statements in 
the more traditional jargon. 

The most fundamental notion of an imperative language is the variable. 1 
Many authors model variables by locations. Some authors make the location-like 
behavior of variables an explicit part of the syntax of the languages (sometimes 
introducing a type "location" in place of the type "variable"). We follow the 
view that it is best not to commit to such representation issues at the level 
of the language design (Note: we will be modeling variables by locations). A 
variable has within it the ability to either write an element of a data type in the 
state, or read an element of a data type from the state. Consequently, we have 
the phrase types: var[real], var[integer], and var[boolean]. In fact we can view a 
variable as consisting of two separate components: a reading component, and a 
writing component. The reading component of a variable of type var[r] (which 
corresponds to what is often called the r-value), would have type exp[r]. The 
writing component of a variable (which corresponds to what is often called the 
1-value), could be viewed as type exp[r] -+ comm. The writing component is a 
state-to-state mapping which is parameterized by a state-dependent element of 
the data type r. Reynolds calls the writing component of a variable an acceptor, 
and gives acceptors their own phrase type. So, essentially a var[r] is a exp[r] 
paired with an acc[r]. 

Reynolds also addresses the issue of subtyping of data types in his definition 
of the essence of Algol. Since we feel that the issues of subtyping data types 



1 We break with somewhat traditional terminology in programming language semantics, 
and use "variable" in the traditional programming sense — something which allows the state 
to be accessed or changed. We use "identifier" in the sense in which logicians have traditionally 
used variable, i.e. to denote a place holder in a term. So in this thesis, a variable is something 
we read from or write to, whereas an identifier appears free in a term, or is bound by a A or 
some other binding construct. 



and implicit coercions are largely orthogonal to the issue of local variables, from 
here on we will describe Reynolds's essence of Algol as though it does not 
have the data type real. We also feel that having the data type boolean does not 
raise any substantial issues in the context of local variables; we will also drop it 
from our discussion. The fact that we only have a single storable data type will 
allow us to simplify syntax in several ways. For example, we can now use exp 
for exp[integer], ace for acc[integer], and var for var[integer]. It will also allow 
us to simplify the syntax of local-variable-declaration blocks, as all of our local 
variables will be for the data type integer. 



1.2.2 Kernel Syntax 

Now, given this intuitive understanding of types, we can understand the kernel 
syntax of Reynolds's essence of Algol as a simply typed A-calculus with base 
types exp, ace, var, and comm, with appropriate typed constants and a few extra 
term constructors. When talking informally, we will write our binary operators 
in infix notation, e.g. writing c ;ci instead of ((seq c ) ci). For our proofs 
however, we restrict ourself to the "correct" syntax. 

The constants of type exp are simply the numerals, namely 0,1,2,... At type 
comm, there is only one constant — the do nothing command skip. There are no 
constants of type ace or var. There are also a variety of constants of higher type. 
For example, conditionals are uniformly available at all types. We will write the 
conditional constant for type 9 as IFexp«; it has type exp — ► 9 — ► 9 -* 9. The 
intended semantics of IFexpg will be that if the exp evaluates to then the first 
consequent of the conditional will be used, if the exp evaluates to a non-zero 
integer then the second consequent of the conditional will be used. 

There are also assignment operators, :=, for the types ace and var. The 
intended semantics of the command a := e is the command which assigns the 
value of expressor e in the current store to the variable whose updating compo- 
nent is a. The intended semantics of v := e is the command which assigns the 
value of expressor e in the current store to the variable v. 

We also have curried versions of the standard arithmetic operations, which 
operate on types just built up from exp. 2 For example we have succ : exp — + exp, 
and plus : exp — ► (exp — ► exp). 

The standard A-calculus term constructors of application and A-abstraction 
(At : 9 . M) are a part of the essence of Algol. There is also a term 
constructor rec which behaves like a least fixpoint operator. Finally, there is 
also an operator newvar of type var — ► comm — ► comm which is used for local 
variable declarations. 



2 Due to the availability of implicit conversions they can also operate on var arguments. 



1.2.3 Syntactic Sugar 

The full version of Reynolds's essence of Algol is the kernel language aug- 
mented by six sugaring constructs: higher-order conditionals, multiple abstrac- 
tion, multiple application, let, letrec, and New v in B. For completeness, we 
provide the sugared and desugared constructs, even though this is now fairly 
well established in the literature. Our treatment is largely taken from that of 
Tennent [24]. 

Our first bit of sugar is higher-order conditionals. Since our the intended 
parameter passing mechanism is call-by-name, we can define IFexp^o' as fol- 
lows: 

IFexpo^ = df Ae : exp.Xp x : 9 -► 9' .Xp 2 ■ 9 -► 9'.Xq : 0.(IFexp«- e (pig) (p 2 q)) 

When there is ambiguity about parenthesis, we assume application associates 
to the left. 

The next sugaring construct allows multi-parameter procedures (and thus 
also applications of multi-parameter procedures) via currying: 

ir[i 1 :6 1 ,...i n :9 n ]\-P:e 



A( tl :<?!,... ,i n :9„).P:6i x • • • x 6 n -> 

7rh P:(0i x ---x 9 n )-^9 n\-Q 1 :6 1 ---ir\-Q n :0 n 
v\-P(Qi,...,Q n ):9 

So our desugaring is: 

A(tj :0i, . . . ,i n :O n ).P = d , Aii : 0i Xi n :9 n .P 

P(Qi,...,Q n )=*,P(Qi) ■■■&*) 

Reynolds's essence of Algol uses a convenient notation for making (non- 
recursive) local definitions in programs which was suggested by Landin [7]: 

tt[l 1 :9 1> ... ,i n :9 n ]^Q:9 tt \- P { :^(for i = l,2,...,n) 
irh let ii be Pit ■ ■ ■ k L n be P n \nQ:9 

The let does not bind i u . . . ,i n in any of Pi,... ,P„. A let creates a non- 
recursive set of declarations, in which Q gets evaluated (the letrec construct, 
which will be described shortly is used for setting up a possibly mutually recur- 
sive set of declarations in which Q can be evaluated). Also, since our premises 
are of the form n h P,:0,-, rather than 7r[ti : 0i , . . . , t„ :0„], we did not need to 
include the types of ii, . . . , t n explicitly in the let construct; these types can be 
inferred by looking at the P;'s. 
Our desugaring is: 

let ti be Pik ■■■&*„ be P„ in Q = df (Xn : 9 X ., ■ ■ ■ Xi n :9 n .Q)(Pi) ■ ■ ■ (P n ) 



Reynolds's essence of Algol also uses a convenient notation for making 
possibly recursive local definitions in programs (also from Landin): 

r[n:0i,... ,i n :9 n ]\-Q:6 a-frx :fli, . . . , t n : fl„] I- ft : 0i(for i = 1,2,... , n) 
7T h letrec i x : X be ft & ■ ■ ■ k i n : 6 n be ft, in Q:0 

The letrec construct does bind n, . . . , t„ in all of Pi, .. . , ft, (and also, of course, 
Q). Also, it is no longer possible to infer 0,- merely from 7r and ft; consequently 
the Oi's must appear explicitly in the letrec construct. 

Desugaring a letrec is a little harder. We first show how to desugar the case 
when n - 1. Then we reduce the case of n > 1 to the case of n - 1. For the 
non-multiple case (n = 1), we have: 

letrec n:6 1 be Pi in Q = di (Ati :0i.Q)(rec Aii :#i.Pi) 

We reduce the case of multiple cases to the single case by using Bekic's 
theorem [2,27]. In our notation, Bekic's theorem reads as follows: 

Theorem 1 (Bekic) 

letrec ti:0i be P l L i 2 :0 2 be P x in Q 

= letrec ti^i be (letrec <. 2 :#2 be P 2 in Pi) 
in (letrec i 2 :^2 be P 2 in Q) 

Bekic's theorem obviously generalizes to handle n > 3 as follows: 

letrec tl : 6>i be Pi & t 2 : 6 2 be P 2 & ■ • • k i n : 6 n be P n in Q 

= letrec ti:6>i be (letrec t 2 :0 2 be P 2 &•••& t„:0„ be P„ in Pi) 
in (letrec t 2 : 2 be P 2 <k • • • k t„ : 0„ be P n in Q) 

The final piece of sugar in Reynolds's essence of Algol which is worth 
mentioning here is variable declaration blocks. The syntax of such a block is: 

7r[t:var[r]] r- P:comm 



7rhNew[r]i in P:comm 



Formally, we could let the binding be done by a A-expression, and then 
introduce a typed constant newvar T into the language in order to capture the rest 
of the intention of the declaration. This then gives us the following desugaring: 

New[r]iinP = d , newvar T (At : var[r].P). 

Note: since we have dropped all data types other than integer, we do not even 
need to explicitly mention r in the declaration, thus giving New i in P, and the 
desugaring newvar (Ai:var.P) instead. 



Chapter 2 

Definition of EoA 



The language EoA is built upon a simply typed A-calculus over base types 
exp and comm. In addition to the standard A-calculus term constructors of 
A-abstraction and application, EoA contains a term constructor New for ex- 
pressing local-variable declaration blocks. EoA contains typed constants for ba- 
sic arithmetic operations on exp. Recursion is uniformly available at all types. 
Conditionals are provided for the base types, and are uniformly definable for 
higher types. The "do nothing" command skip is available, as is sequencing of 
commands. For simplicity there is only one basic data type, which we assume 
to be the non-negative integers; it should be a routine exercise to modify the 
results here to extend EoA with additional basic data types (such as booleans 
or characters). 

2.1 Differences Between EoA and Reynolds's Es- 
sence of Algol 

There are three fundamental differences EoA between and Reynolds's essence of 
Algol. First, the only storable data type of EoA is integer, whereas Reynolds 
also considers real and boolean. We do not consider the data type real, because 
our primary interest is in understanding the nature of block structured local 
variables, and we believe that the issue of subtyping and implicit coercions is 
largely orthogonal to the issue of block structured local variables. For simplicity, 
we also do not have boolean as a basic data type. We expect that it would be a 
routine exercise to extend the work here to handle additional basic data types. 

The second fundamental difference is the lack of the type var(iable) in EoA, 
although we do retain acc(eptor) and exp(ressor). The technical justifications 

Although we expect it to be simple to extend the language with other basic data types, 
we have not thought carefully about extending our results for a version of EoA extended with 
a rich structure of subtypes and implicit coercions. 



for eliminating var appear in Section 2.2.1. EoA treats ace as a type synonym 
for exp — ► comm. A fundamental consequence of the lack of var and the change 
to ace is that we no longer need coercions (implicit or explicit) from var to ace or 
exp. Reynolds's essence of ALGOL provides an implicit coercion from the type 
var to exp. When we think of ace as merely a type synonym for exp -*■ comm, 
we see that the assignment operator := merely functions as an explicit coercion 
from var to (exp -+ comm). Of course, there will be some minor syntactic 
modifications to new-variable blocks. For example, in the sugared language the 
New structure will now need to take two identifiers in addition to the block-body 
as argument (where one identifier will be tied to the writing component of the 
newly allocated variable, and the other tied to its reading component). 

The final substantial difference between EoA and Reynolds's essence of Al- 
gol is that in EoA, identifiers come explicitly with types— as opposed to us- 
ing a simply-typed lambda calculus based on untyped identifiers. Specifically, 
Reynold's essence of ALGOL uses typing judgments of the form 7r h M : 0, and 
lambda abstraction takes the form Xx : 9.M. In EoA, typing judgments are 
unnecessary, and lambda abstraction looks like Xx.M , where x, by definition, 
has some specified type. We make this simplification for expository reasons. A 
suitable version of the adequacy result also holds for the version with untyped 
identifiers, but some substantial changes do need to be made to the definitions 
for it to work. 

There are two other minor differences between EoA and Reynolds's essence 
of ALGOL, both existing to simplify our exposition. For reasons which arise 
when defining the operational semantics of EoA, we find it more convenient not 
to use Reynolds's desugaring of new variable declarations. Thus we leave New 
as a term constructor in EoA. Moreover, since we keep New structures in our 
kernel language, we do not bother to introduce the constant newvar. There is 
one additional change to the New structure. We find it useful to include a fourth 
component in a New structure — an argument of type exp which will provide the 
initial value of the newly allocated location. So, if E is a term of type exp, P a 
term of type comm, i an identifier of type ace, and k an identifier of type exp, 
then (New i, k <— E in P) is a term of type comm. 

Finally, we introduce a collection of recursion constants Y#, one for each 
type 0. The constant Y 9 , has type (0 -► 0) -► 0. These constants enable us to 
discard the term constructor rec. Specifically if M is a term of type — > 0, then 
in EoA we use (Y« M), instead of (rec M). 

The rest of this Chapter consists of a formal definition of the syntax and 
operational semantics of EoA and a precise statement of our definition of ade- 
quacy. 



2.2 Kernel Syntax 

2.2.1 Types 

The base types of EoA are exp (for expressor) and comm (for command). The 
type exp contains integer thunks — objects which when given a state evaluate 
to an integer. The type comm contains imperative commands — objects which 
when given a state evaluate to a new state (e.g. storing 5 in location x). The 
full set of types is defined inductively from the base types such that: if 9 and r 
are types then 6 — ► t is a type (corresponding to the type of functions from 8 
to r). 

EoA does not have integer as a base type. Consequently, we can not have 
integers as constants in our language. But we can have constants of type exp 
which behave like integer constants. In particular, if n is an integer, we could 
write n to denote the constant thunk which in any state produces the integer n. 
There is a subtle, but fundamental, difference between constants in the language 
and constant thunks. In EoA we generally think of an abstract meaning asso- 
ciated with a piece of code. Usually this meaning is a function on states. Such 
state-dependent objects are termed thunks. A constant thunk is a thunk that 
always gives the same result regardless of the state. The notion of a "constant 
thunk" is unrelated to the notion of being a linguistic constant. For example, 
(plus 1 1) is a constant thunk, but is clearly not a syntactic constant in the lan- 
guage EoA. Similarly it is plausible to introduce into EoA linguistic constants 
which do depend on the state. We have simply chosen not to do so. 

The most commonly used function type is exp — *■ comm. Frequently we 
will use ace to abbreviate exp — ► comm. Some authors would also like to have 
available a type which would correspond to that of integer — ► comm. When 
this type is available, it, rather than exp — ► comm, is typically used for ace. 
The type var is also occasionally introduced as a base type to correspond to the 
type ace x exp. Now that we have a better understanding of the nature of local 
variables, these types are not as necessary. For example, we can simulate the 
term M : integer — ► comm by the term (6 M):exp — ► comm, where 8 is: 

8 = At. Xk. (New i' , k! <- k in (M k')) 

To see how this works, consider 

C = A/c.(seq (l\ cc (succ k)) 
(/5«(s«cck))) 

in (C l\* p ) and ((6 C) /' xp ), assuming that /- xp and /f cc are identifiers properly 
bound to the reading and writing components of location i. Consider executing 
these two commands in a state where location 1 has the value 10 and location 
2 has the value 100. The term (C /f) results in 11 in location 1 and 12 in 
location 2. The term ((8 C) F* 9 ) results in 11 in both locations 1 and 2. 
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The type var is also unnecessary. We can eliminate var by referring to a 
location via two distinct identifiers, one whose job is to represent the r-value 
part (the reading part) and the other whose job is to represent the 1- value part 
(the updating part). Since we do not use var, we no longer need the explicit 
coercions cont: var -*• exp, and := which has type var — ► ace. Depending on one's 
choice of semantics, the traditional assignment operator, :=, might be used as 
more than just an explicit coercion — it may also be used to pass an argument 
to an acceptor "by value." The choice is between evaluating the argument in 
the current state and then passing the resulting constant thunk to the acceptor 
(by-value), or passing the unevaluated, potentially non-constant thunk to the 
acceptor (the way EoA does it). The by- value version can be expressed in EoA 
using the term 6 defined above. 

For example, consider a New block in a language with the type var, and where 
New blocks have an argument slot for the initial value of the new location. 
Specifically, we consider a block of code to allocate two variables (the first 
initialized to and the second initialized to 1) with a body which assigns the 
value stored in the location pointed to by the second variable to value stored in 
the location pointed to by the first variable: 

New/s/ <— in (New snd <— 1 in (:= fst snd)). 

The translation of the block into EoA where ":=" is only doing an explicit 
conversion looks like 

New fstL, fstR <- in (New sndL, sndR <- 1 in {fstL sndR)) 

When ":=" is both doing a coercion and forcing a call-by-value application the 
translation looks like 

NewfstL,fstR <- in (New snrfl, sndR <— 1 in (6 fstL sndR)). 

2.2.2 Identifiers and Terms 

We assume that we have an infinite set of identifiers of each type. We let a e 
be a metavariable ranging over identifiers of type 6 (we'll just write a when we 
need a metavariable ranging over identifiers, but the type is unimportant). We 
let i be a metavariable ranging over identifiers of type ace = exp — ► comm, and 
k range over identifiers of type exp. The set of constants from which we build 
up EoA is shown in Figure 2.1. The set of EoA terms, denoted by C, is built 
up from these constants by the usual inductive definition — augmented with one 
extra case for new blocks: 

• a 6 is term of type 9; 

• c e £ Const is a term of type 9; 
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n 


exp 


skip 


comm 


IFexp. xp 


exp — ► exp —► exp — > exp 


seq 


comm — ► comm — ► comm 


"6XPcomm 


exp — + comm — ► comm — ► comm 


Y e 


(6/ — 61) — e 


SUCC 


exp — * exp 


plus 


exp — ► exp — ► exp 



Figure 2.1: Const, the set of constants of EoA and their types. 

• (M N) is a term of type r if M has type 9 — ► r and N has type 6; 

• (\a e . M) is a term of type 9 — > r if M has type r; 

• (New i, k <— E in P) is a term of type comm if E has type exp and P has 
type comm. 

We abbreviate the phrase "M is a term of type 9" by writing M : 9. 

We adopt the following conventions about associativity and the extent of 
binding operators which allow us to drop certain parenthesis without introducing 
ambiguity. 

• All applications are parenthesized to the left so the expressions 
(Mi M 2 M 3 ) or Mi M 2 M 3 can be written for ((Mi M 2 ) M 3 ). 

• The body of a A-expression or New declaration extends to the first un- 
matched right parenthesis. 

• Although readability is usually enhanced by dropping unneeded parenthe- 
ses, we feel free to leave in any parenthesis that will enhance readability. 

For types, we assume that —>■ associates to the right, so that we may also 
drop unnecessary parenthesis in type expressions. For example, we can write 
Tl _+ T2 __► 7-3 in place of (n —* (r 2 — ► r 3 )). In addition, in informal discussion, 
we may write binary operators in infix notation (e.g. Ci ; c 2 instead of (seq c\ c 2 ), 
and ej + e 2 instead of (plus t\ e 2 )). 

The intended semantics of a term constructed with New is not obvious. 
Consider the term 

New 1, k <— E\n P. 

The intended semantics is to evaluate E in the current state to an integer n. 
Then, extend the state by a new location whose initial value is n. Finally, evalu- 
ate P in a manner in which the identifier t is bound to the writing component of 
this new location, and the identifier k is bound to the reading component of this 
new location. There are several important details to note about this construct. 
First, the order of the identifiers is important to remember — the writing com- 
ponent (the acceptor) comes first, and the reading component (the expressor) 
comes second. In addition, the choice of the names of these identifiers in no way 
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affects the evaluation of E; however, the choice of the names of these identifiers 
has a major impact upon the evaluation of P. In other words, the New binds t 
and k the term P, but not in the term E. 

2.2.3 Free and Bound Identifiers, Substitution, and Closed 
Terms 

The standard A-calculus concepts of free and bound identifiers, closed and open 
terms, and substitution make sense for EoA. When we say "free identifier" 
we are really talking about the standard A-calculus notion of "free variable." 
Unfortunately, in the setting of an ALGOL-like language, it is necessary to co-opt 
the meaning of "variable." Instead of using "variable" in the "logical" sense we 
use it in the "programming sense" — variables are how we introduce side-effects 
and dependence on a state. To remain consistent with the usual definitions, 
we will write "FV(M )" and "BV(M )" to denote the free identifiers of M and 
bound identifiers of M respectively. 

Since we have an extra term constructor (New) we need to modify the usual 
definitions to fit EoA. This requires some care, since, like A-abstraction, New is 
a binding construct. We adapt most of the standard conventions and definitions 
of Barendregt [1] to EoA. 

The set FV(M) of free identifiers of M is defined inductively on the struc- 
ture of M as follows: 

FV(c) = 0, for all constants c. 

FV(a) = {a}, for all identifiers a. 

FV(MN) = FV(M)[J FV(iV). 

FV(Aq.M) = FV(M) - {a}. 

FV(New i,k *- E\nP) = FV(E) \J (FV(P) - {i, «}). 

Note that either t or k (or both) can be free in New i, k <— E in P iff it appears 
free in E. 

The set BV(M) of bound identifiers of M is defined inductively on the 
structure of Mas follows: 

BV(c) = 0, for all constants c. 

BV(a) = 0, for all identifiers a. 

BV(MN) = BV(M){JBV(N). 

BV(Aa.M) = BV(M) U {a}. 

BV(New i, K <-E\nP) = BV(£) (J BV(P) U i 4 . «}• 

It is perfectly reasonable for an identifier to appear both free and bound in the 
same term (e.g. a in (x (Ac*, a) a)). 

Definition 2 A term M is closed iff FV(M) = 0. 
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Barendregt defines a change of bound identifiers in M as the replacement 
of a part (Ac*. N) of M by (Ac*'. N[a'/a]), where a' does not occur (at all) in 
N. Since a' is fresh we can syntactically replace all occurrences of a in N by 
a' without the usual dangers. For EoA, we must also allow for the change of 
identifiers bound by New. In particular, a change of bound identifiers in M 
can be of the above form, or of the following form — the replacement of a part 
(New i, k *— E in C) of M by either: 

• (New i, k' *— E'm C[k'/k]) where k' does not occur (at all) in C, or 

• (New i', k <— E\x\ C[i'/i]) where i' does not occur (at all) in C. 

We can now define a-congruence (=„) for EoA terms by saying: M = a N, if 
N results from M by a series of changes of bound identifiers. We adopt the 
convention that terms that are a-congruent are identified. We also adopt the 
further identifier convention: If Mi,... , M n occur in a certain mathematical 
context (e.g. definition, proof), then in these terms all bound identifiers are 
chosen to be different from the free identifiers. 

Since the binding constructs in EoA are somewhat different from the pure 
simply-typed A-calculus, it is worth providing the full definition of the substi- 
tution operator in order to avoid confusion. Specifically we write M[N/a] to 
represent the result of substituting N for all free occurrences of c* in M. We 
define M[N/a] by induction on the structure of M as follows: 

a[N/a] = N 

a'[N/a] = a' for a' any identifier other than a 

c[N/a] = c for c any constant 

(PQ)[N/a\ = (P[N/a])(Q[N/a}) 

(Xa'.M)[N/a] = (Xa'.M[N/a}) 



In the above clause it is not necessary to say "provided that a' ^ a and 
a' £ FV(A r )," as the identifier convention insures that this is the case. Finally 
we have the case for New which is again simplified by adopting the identifier 
convention. 

(Newt, k — E in C)[N/a] 

= (New t, /e — (E[N/a\) in C[N/a]) 



So long as N : 6 then it is obvious from the definition of M[N/a e ] that the result 
is a term which has the same type as M. 
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2.3 Assigning Operational Semantics 

An ability to read from and write to the state is a fundamental aspect of imper- 
ative programming. What distinguishes EoA from other languages which com- 
bine imperative programming and the higher-order functionality of the simply- 
typed lambda calculus is its variable allocation mechanism. This allocation 
occurs via New blocks. Intuitively we think of the process of executing a New 
block as: upon entrance, extending the state by another "location"; then eval- 
uating the body of the block in an "environment" where the "block identifiers" 
are appropriately bound to this new location; and finally, at the end of the block 
removing this "new" location from the state. This informal description points 
out three elements which are crucial to defining our operational semantics: 

• We need a way of representing the state. 

• We need a notion of "location," a way of extending the state by a new 
location, and a way of removing a location from the state. 



• 



We need a way to evaluate the body of a block where the block identifiers 
are properly tied to a new location. 



Given that we will only be storing integers in the state, a very simple repre- 
sentation of states and locations arises naturally. Specifically, a state will simply 
be a finite sequence of integers. A location can be an index into such a sequence. 
To extend a state by a new location, we simply need to append the initial value 
for the new location onto the state. To remove the last location from the state, 
we simply strip the last value off the sequence. 

In order to evaluate the body of a block we need a way to tie terms to states. 
There are two plausible approaches. On the one hand, we could introduce 
location constants into the language. This would enable us to determine the 
behavior of a New block by looking at the behavior of the body of the block 
when we instantiate the block identifiers by appropriate location constants (one 
constant for the acceptor and a different constant for the expressor). On the 
other hand, we could introduce the notion of binding — to variables. The purpose 
of a binding would be to tie the block identifiers properly to the new location. 
Thus, to determine the behavior of a New block under a binding B, we look at 
the behavior of the body of the block under a binding B' (which is exactly like 
B except B' ties the block identifiers properly to the new location). We choose 
the second approach. 

We now make this precise with a few definitions. A state is a finite sequence 
of integers. The collection of all possible states, written S, is N*. We will 
typically use the metavariable a to range over states. The following five items 
are important for manipulating states: 

• length: S — N. 
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proj(cr, k): the k-th component of a. 

update((T, k,n): returns a state just like a except the k-th. component is 
set to n. 

EmptyState: denotes the zero-length state. 

si.s 2 is used to denote the concatenation of two states, Si and s 2 - More 
formally, 



[Vl, 



.. ,v k ).(v[,...v' k ,) = (vi,...v k ,v[,...v' k ,). 



Often we will write the integer v when we really mean the state (v); however, 
the intended interpretation should always be clear from the context. 

A binding — to variables, henceforth called binding, is a finite function from 
identifiers of type exp or ace to N. We call the collection of all bindings B. The 
purpose of a binding is to tie a term M to a state <r via its free identifiers of 
type exp and ace. Specifically, a binding explains how to use an identifier of 
type exp to read from a location in the state and it also explains how to use an 
identifier of type ace to write to a location in the state. 

Definition 3 The index of a non-empty binding B (written index(5)) is the 
greatest integer i in the range of B. The index of the empty binding, 
EmptyBind, is 0. 

Definition 4 An lterm is a pair [M, B] G (Cx B) (recall that C is the set of all 
(open and closed) EoA terms). We extend the notion of free identifiers to Herms 
in the following way: FV([M, B]) - FV(M)-Dom(£) (note: our identifier con- 
vention allows us to assume that bound identifiers of M are also not in Dom(fl)). 
A closed lterm is an lterm [M, B] such that FV([M, B]) = 0. An instantia- 
tion [L,B] of a closed lterm [M,B] is the result of a sequence substitutions of 
a term TVi : #i , . . . ,N k :9 k for an sequence of identifiers a* 1 , . . . a k k £ Dom(5) 
to obtain the term L. A closed instantiation of a closed lterm [M, B] is an 
instantiation of [M, B] which is a closed lterm. 

We will explain the behavior of EoA code by defining the behavior of closed 
lterms via a Structured Operational Semantics (SOS) in the style of [19]. Before 
we go into the definition we first note that EoA is somewhat unconventional. 
EoA combines two very different notions. On the one hand, it has the full 
type structure of the simply typed lambda calculus, the intended semantics for 
the functional fragment of EoA is the call-by-name lambda calculus, and the 
functional fragment can be handled by term rewriting. On the other hand, the 
evaluation of base type expressions involving imperative features requires a full 
fledged SOS involving configurations. 

Consequently, our operational semantics is a hybrid of these two schemes. 
The configuration rewriting does not even apply for higher order terms — we 
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directly restrict ourselves to the base types comm and exp for configuration 
rewriting. All evaluation of higher order terms is handled via the term rewriting 
rules (as we will see in Figure 2.3). The method of evaluation of base type terms 
depends on the principal operator of the term. If it is of the functional sort (a 
lambda abstraction) then term rewriting will be used to determine how the 
configuration behaves. If it is of an imperative sort (e.g. an assignment, or the 
evaluation of an expression) then the rules for the imperative features kick in. 
We define a configuration to be a triple (Q, B,a) £ (C x B x S) such that 
[Q,B] is a closed lterm of base type, and index(S) < length(o-). We call the 
collection of all configurations C. Formally we define a binary relation, —*c, on 
CU£. The intended interpretation of {Q, B, <r)—>c{Q',B', a') is that in one step 
of the evaluation of Q (tied to state a by binding B) results in Q' (tied to state 
a' by binding B'). The intended interpretation of M^>cM' is the usual one. 
We then make the further definition of -»c as the reflexive transitive closure of 
— ►£. Figure 2.2 lists the metavariable conventions which we make in giving the 
operational semantics. We attempt to follow them throughout the rest of this 
thesis. The full set of rules defining -^c appear in Figures 2.3, 2.4 and 2.5. 



e 


arbitrary types 


P 


base types (exp or comm) 


M,N 


terms of arbitrary type 


E 


terms of type exp 


P 


terms of type comm 


Q 


terms of base type (exp or comm) 


a 


(typed) identifiers of arbitrary type 


a 9 


identifiers of type 8 


i 


identifiers of type ace 


K 


identifiers of type exp 



Figure 2.2: Metavariable conventions. 



2.4 Properties of 



>£ 



There are some quite simple, but quite important properties of — >£ which we will 
use later. All but the last are verified by a simple induction on the structure 
of terms. In stating the properties, we assume that (Q,B,a) is an arbitrary 
element of C. 

1. — *c is deterministic, viz. it is the graph of a partial function on C U £. 

2. If {Q,B,<r)^ c (Q',B',a') then B = B\ length(<r) = length(<7'), and Q 
and Q' have the same type. 
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(Xa. M)N-+cM[N/a] 


(beta) 


M-+cM' 


(eval-operator) 


(MN)^c(M'N) 


Y e M^cM(Y e M) 


(rec-unwind) 


Q^cQ' 


(interaction) 


(Q,B,*)-+c{Q',B,<t) 



Figure 2.3: Functional rules. 

3. If Q is not of type comm, then if {Q, B, a)-> c {Q', B' , a 1 ) then a = <r' (i.e. 
only commands can have side effects). 

4. Let a £ FY(Q) and i < length(<r), then 

(Q,B,<t)-*c(Q',B,*') iff {Q,B[i/a],a)^c(Q',B[i/a],a') 

i.e. for a £ FV(Q), B(a) does not affect the behavior of the configuration 
(Q,B,a). 

5. If P is of type comm, then either 

(P, B, 0-}-»,c(skip, B, a') for some a' 
or (P, B, <r>— £ (Pi, B, <r 1 >-^ £ (P 2 , B, «r 2 )— £ • ■ ■ 

In the first case we say "P (with binding B in state a) converges." In the 
second case we say "P (with binding B in state a) diverges." 

The last property can be verified by defining an appropriate notion of normal 
form for closed lterms and noticing that the only normal forms of type comm 
have term part skip. 

2.5 Observations 

Now that we have defined our operational semantics and established some consis- 
tency properties of this semantics, we can introduce some notions of "behaviors" 
of programs. Of course, we first need to decide what a program is. 

Definition 5 An EoA program is an EoA command whose free variables are 
of type exp or ace. 

A binding provides the mechanism for linking a program to the state, possibly 
introducing sharing. We can view our operational semantics as specifying how 
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(succn,B,a)—*c(n + \,B,o) 

(E,B,o)-+c(E',B,<j) 
(succ E,B, a) ^ ctfiucc E' ,B,o) 

((plus »i n 2 ),B,cr) — > £ (ni + n 2 ,B,a) 

((plusBj E2),fi,ff)-£((plus£; E 2 ),B,<r) 

((plusnE 2 ),B, I T>-> ; c((plusn£^),B,(T) 



(succ-do) 

(succ-eval-arg) 

(plus-do) 

(plus-eval-argl) 

(plus-eval-arg2) 



((\Fexp^0QiQ 2 ),B,<T)-*c(Qi,B,cr) 
((IFex P/3 n + 1 Qj Q2),B,a)-+ c (Q2,B,<7) 

(E,B,a)-+c(E',B,*) 

((IFex P/8 EQi Q2),B,a)^c{{tfe*Pf>E' Qi Q2),B,<r) 



(IFexp-true) 
(IFexp-false) 

(IFexp-eval-guard) 



Figure 2.4: Plotkin Style SOS rules defining the operational semantics of EoA 
for ordinary non-imperative terms. 



((t n),B, <7)-+£ (skip, B,update(<7,B(t),n)) 




(variable- write) 


(K,B,o)-*c(ir B ( K ),B,o) 




(variable-read) 


{E,B,<t)^ c (E',B,o) 




(assign-eval-arg) 


((,,E),B,*)-> c ((lE'),B,0) 


((seq skip P), B,<t>— £<P, B, a) 




(seq- discharge) 


(P u B,a)^ c (Pl,B,a') 




(seq-eval-argl) 


((seq Pi P 2 ),B,a)^ £ ((seqP 1 'P 2 ) > S,a'} 


((Newt, k <— n in skip),P>,<r)— > £ (skip, B,cr) 




(New-discharge) 


(£;,B,a)^ £ (P',P,a) 




(New-init) 


((New i, k <- Ein P),B,(r)-»£((Newi, k <- E' in P),B 


,°) 


<P,B',a.n>-£<P',B',ff'.n'> 




(New-eval) 


((Newt, k ♦- ninP),B,<7)-> £ ((Newt, « ♦- n' in P'),B 


*') 


w/tere / = 1 + length(<r) and B' = B[I/i, 


'/"J- 





Figure 2.5: The new rules which need to be introduced in order to capture 
imperative features. 
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to associate with each closed lterm of type comm a partial function on states. 
Note that a closed lterm of type comm is merely a program P paired with a 
binding B such that FV(P) C Dom(B). Specifically, the partial function f[ PiB ] 
associated with [P, B] is defined by: 



J\P,B]{a) - < 



a' if (P,B,a}-»c(sKp,B,<r'), 

undefined if P with binding B diverges in state a, 

undefined if length(<r) < index(J3) 

(viz. the state is not "large enough" to fit with B). 

It is the closed lterm [P, B] which most closely coincides with the traditional 
notion of ALGOL-like program, with the binding B linking the program P to 
the state via the free exp and ace identifiers in P. There is a natural notion of 
equivalence between programs, ~ P obs , which we formally define as follows 

Definition 6 Let Pi, P 2 be programs. Define Pi te P obs P 2 by the condition: 

For all B such that [Pi, 5] and [P2,B] are both closed Iterms, 
f[P u B] = f[P 3 ,B]- 

It requires a little bit of proof (using the previously mentioned properties of — ►£ ) 

to show that «s p , is actually an equivalence relation. Unfortunately, the relation 
obs ^ -i 

ss p , is not a congruence on programs, as free acceptors can be instantiated by 
"bad" variables (they could have side-effects). For example while 

(ii)«S».('9);(ii). 

it is not hard to see how to write a term M of type ace such that in some binding 
B, we have /[(mi),b] ^ /[(M9);(M i),B] and so 

(Ml)96 p 6j (M9);(Ml). 

Given such a term M, the context C[-] - (Xi.[-])M (a context is merely a term 
with a "hole") will obviously distinguish (i 1) from (t 9) ; (i 1). 

Definition 7 Let = p bs be the congruence on terms generated by ~ P obs - Specifi- 
cally, M = p b N iff for all contexts C[-] such that C[M] and C[N] are programs, 
C[M] * P ohs °C[N] 

It again requires a little proof to show that = P bs is in fact an equivalence relation, 
but requires no new ideas. 

On the other hand one could make the argument that & P bs does not match 
with Reynolds's goal of eliminating locations from explicitly appearing in an 
ALGOL-like language. Essentially our notion of program amounts to observing 
open commands in a very special set of contexts. From a technical point of 
view, one might have expected a definition of completely closed command, 
viz. a command P such that FV(F) = 0. Our observation would then simply 
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be termination of a completely closed command. We now generate a definition 
of observational equivalence and observational congruence based on observing 
termination. 

Definition 8 Let P lt P 2 be completely closed commands, define P x K. c ob$ Pi by 
the condition: 

(Pi, EmptyBind, EmptyState)-^ (skip, EmptyBind, EmptyState) 
iff (P 2 , EmptyBind, EMPTYSTATE)^» £ (ski P , EmptyBind, EmptyState). 

The relation m c b is obviously an equivalence relation; it is also a congruence 
on completely closed commands. We can generalize & c obs to a congruence on 
terms, by denning M = c obs N by the condition that whenever C[M] and C[N] 
are completely closed commands, C[M] & c obs C[N]. (It again requires a little 
proof to show that = c obs is an equivalence relation.) 

We have now denned two seemingly different notions of observational con- 
gruence, = p , and = c . . We would like to claim that restricting observations 

° ' OOS 003 

to completely closed commands, rather than observing programs directly, does 
not change the congruence generated. In other words = v obs and = c obs define the 
same relation on terms. We prove this as the following theorem, which then 
justifies the use of the notation = i,s- 

Theorem 9 M = P obs N iff M = c obs N. 

Proof: The "only if" (=>) direction is obvious. The proof of the "if" (<=) 
direction requires the following further uniformity property of —*c and the anal- 
ogous version for ace, both of which are proven by a straightforward structural 
induction. 

Lemma 10 Suppose B(a\ xp ) = B(a txp ). Let N = M[a e 2 xp /a\ xp }. 

If (M,B,a)^ c (M',B,o-'} then (N, B, o-)^c(M'[a e 2 xp /a\ % p ], B, a'). 

Conversely, if (N, B,a)^>c(N' , B,a') then there exists an M' such that 

N' = M'^/aH and ( M > B, <t)->c{M', B, a'). 

We now show sketch the proof that M ^ P obs N implies M £ c obs N. Let C[-} be 
a program context distinguishing M and N. Let B be a binding and a a state 
demonstrating this distinction. Without loss of generality, suppose 

(C[M],B,a)^ c {sk\p,B,a') but (C[N], B,<r) > £ (skip, B, a 1 ) 

From the context C[] we will construct a completely closing command context 
C'[-] which will allocate length(a) variables such that the ith allocation is ini- 
tialized to the z'th component of a. The body will consist of an execution of C[-] 
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in a manner such that the binding B is encoded by tying the free identifiers of 
C[-] to the variables allocated above. After properly executing [•], we check that 
the resulting state is a', if it is the term halts, if it is not the term diverges. 
To construct this context C'[-], let 

{ar p ,...,ar p , <*;«... ,<*?«> - Dom(B), 

n — length(o-), 

ii, . . . ,i n be fresh acceptors, 

and K\, . . . ,K n be fresh expressors. 

We take the context C"[] to be: 

New ti, m <— proj(<r, 1) 
in New 12, «2 <— proj(<r, 2) 
in 



New i„,k„ «- proj(cr, n) 

in (Aa' xp . . . a" p , a}", ■ • • a'".C[-]) K fl(a «P) • • • k b(q »P) i B ( a \") ■ ■ ■ tfl( a ;«) ; 
(IFexpomm (/ci ^ proj(or',l)) diverge 

(IFexpcomm (k 2 ^ proj(<r',2)) diverge 

(IFexpcomm (ki. # proj(cr', n)) diverge skip) ■ ■ • )) 

The completely closed command C'[M] will always converge, whereas the com- 
pletely closed command C'[N] will always diverge, thus M ^ c ois N . ■ 

Now that we have a satisfactory notion of observational congruence, we 
address what we mean when we say that a model is adequate for this notion 
of observational congruence. Jim and Meyer [6] provide a discussion of the 
basic principles behind the definitions of observations, observational congruence, 
adequacy and full abstraction. They also give some Lemmas which provide 
alternative characterizations of adequacy when a model possesses various special 
properties. The rest of this Section is adapted from that discussion. 

A meaning function for EoA is a function [•] from terms M to values in 
some space (for the Tennent model these values will be natural transformations 
between functors from a category of possible worlds to the category of (possibly) 
bottomless epos). A meaning function is compositional iff for all terms M, N 
and contexts C[-], if [M] = [N] then [C[M]] = iC[N]J. 

Definition 11 A meaning function is adequate for a definition of observa- 
tional congruence, = j s , if for all terms M ,N 

IM] = {N] implies M = obs N. 
21 
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Chapter 3 

Defining the Denotational 
Model 



O'Hearn and Tennent [12] provide a good exposition of the methods of "possible 
worlds" models of block structure. This idea of using a category-theoretic form 
of possible worlds to model block structure was pioneered in the early 1980's by 
Reynolds and Oles [15, 17,20]. The model of Reynolds and Oles provided great 
insight into the nature of local variable declarations. Later Tennent and O'Hearn 
[12-14,23,25] modified the Oles model in an effort to incorporate the notion of 
non-interference. Tennent incorporated this model of EoA which understood 
non-interference into a larger model of Reynolds's Specification Logic [22] for 
the Essence of Algol. Our focus right now is Tennent 's original model of EoA 
which captures non-interference. In Chapter 5 we discuss some examples of 
equivalences of EoA code which O'Hearn and Tennent have shown [12, 13] that 
this model validates. These examples demonstrate the substantial power of the 
model; however, we also also show some counterexamples to full abstraction [12, 
13]. 

We begin this Chapter by giving a review of the basic concepts of these 
possible worlds models of Algol and the definition of the Tennent model; a 
more comprehensive discussion is found in [12], Chapter 9 of [24] and in [14]. 
Section 3.5 contains a collection of definitions which we will need for our proof 
of adequacy in Chapter 4. We focus our discussion on the model of Tennent 
[24,25]. This model incorporates several substantial modifications to Oles's 
original model. The Tennent model provides some simplifications in description 
and some improvements in power. In particular Tennent separated the issue of 
implicit coercions from the issue of block structure, which had been intertwined 
in the model of Oles. Tennent also found a few other technical simplifications 
of the category of state shapes which were used for modeling block structure. 
In addition, to properly model interference (which helps in understanding how 
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higher order objects behave) Tennent slightly modified the category of state 
shapes, and chose an "ad hoc" definition for [comm], rather than taking the 
functor S —•■ S. 

Later, we will also be interested in the O'Hearn-Tennent model [13]. This 
model arose from an attempt to model a principle of "non-interference abstrac- 
tion." Technically it is obtained by slightly perturbing the category of state 
shapes used in [24,25], and modifying the definition of [comm]. Most of the 
definitions and results of this paper make sense and hold for both the Tennent 
and O'Hearn-Tennent models; we will specifically point out when a definition 
or result is specific to one or the other. When we abstract away the specifica of 
Tennent 's model and state our general adequacy Theorem it will be obvious that 
the O'Hearn-Tennent model is also adequate. It should be a routine exercise to 
varify that the the model of Reynolds and Oles (for a language without implicit 
coercions) also satisfies the sufficient conditions for adequacy. 



3.1 Functor Category Models of Simply Typed 
Lambda Calculi 

Given two categories A and B, we define the functor category from A to 
B (B A ) to be the category whose objects are all covariant functors from A 
to B and whose morphisms are all natural transformations between covariant 
functors from A to B. Composition in B A is the standard composition of nat- 
ural transformations, and the identity morphism is simply the identity natural 
transformation. Note that some authors write A — ► B for B . 

Let D be to the category of possibly-bottomless cpo's; a careful definition of 
D is given in Section 3.2. We will take advantage of the fact that for any small 
category X, the functor category D x is cartesian closed. In [11] Nelson proves 
this for any complete cartesian closed category in the place of D. The case of 
D was explicitly treated by Oles [15]. D x is also closed under denumerable 
products, a fact that makes life simpler, as there will be a single environment 
object, Env (rather than merely an environment object for each finite set of 
typed identifiers). Our ability to take advantage of denumerables products in 
this way is a consequence of identifiers coming explicitly with types. If the 
category were not closed by denumerable products we would have to count 
identifiers and introduce finite environments relative to a finite set of identifiers. 
Berry, Curien and Levy provide a quick summary of the general methods of 
c.c.c. models of simply-typed lambda calculi and what they look like when we 
take advantage of the single environment object [3, Section 6]. Going along the 
general lines of interpreting a simply typed A-calculus in a c.c.c, we interpret 
types by objects of the functor category via a function [Itype (remember, these 
objects are functors from X to D). We can generate the function []ty P e merely 
by specifying [/?]|type for all of our base types /? (for EoA, this is simply for 
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/? e {comm, exp}). 

In contrast to an interpretation of the simply typed lambda calculus in a 
category of sets with structure, there is a lot more to the meaning of a type 
than a (structured) set of elements of that type. In this case a type is a functor 
from a category to a (potentially bottomless) cpo. It no longer makes sense to 
think of an element of the type T, per se. We can however, make sense of the 
notion of a global element (constant) of type T. It is a morphism, m, from the 
terminal object (l D x) of D x to [Tj ty pe. So m is a natural transformation from 
l D x to [71 type- By definition, this is a function that assigns to every X-object 
w, a morphism in D, m w : l D x(iu) -► T{w), which satisfies certain uniformity 
properties. As we will see, l D x(u)j will simply turn out to be the one-element 
cpo {*}, so we can in fact just think of m as a method of selecting a single 
element from each cpo T(w). But the D-morphisms which m picks for each 
X-object w cannot be unrelated. In fact, we must have for any / : w — >w' , that 

m(w') = T(f);m(w), 

where ";" denotes composition in "diagrammatic" order. Since each type is a 
functor into D (which is a category of sets with structure), it does make sense 
to talk about an element of a type T at a world w. 

Half of the meaning of a type T is its behavior on objects, w € obj(X), 
essentially telling us the collection of meanings appropriate to type T at world 
w. As mentioned above, the meanings for different worlds are not completely 
unrelated. The other half of the meaning of a type tells us this relation. Specif- 
ically, given / : w-^*w' , the function T(f) tells us how to transform meanings 
appropriate to world w into meanings appropriate to world w' . Since there may 
be many morphisms from w to w' , there might in fact be many different ways 
to transform the space of meanings appropriate to world w into the space of 
meanings appropriate to world w'. As we will see in Section 3.5.2 this provides 
us with greater flexibility than we had with the "global elements of type T." 

We also have an indexed product object 

Env = JJ [0] tyP e, 

a e £lAcntifizrs 

useful for providing meanings for the free identifiers of a term M. Since Env is 
a functor, it is incorrect to think of it as a set of environments. Nevertheless, it 
does make sense to think of an element of Env at a world w, viz. an environment 
at world w. As with types, the behavior of Env on morphisms, Env(/ : w — >w') : 
Env(u;)-5+Env(u/), tells how to transform (along /) an environment at w into 
an environment at w' . 

We now look to the general method of c.c.c. interpretations to see what we 
should do with terms. We interpret a term M : 9 as a morphism in D x from 
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Env to the object [0] t y pe . In our framework, this will be a natural transfor- 
mation from the functor Env to the functor [0]t ype , which will give us a nice 
commutative diagram which, for any X-morphism / : w — ► w' , looks like: 



w 



w 



T? t \ lM]w - 

Env/ 

Env(ur) ► 



type^ 

Mtype/ 



II type 



W 



3.2 The Category D 

We now review the basic structure of D, the category whose objects are directed- 
complete, partially ordered, possibly bottomless sets (dcpos), and whose mor- 
phisms are continuous functions. Composition of morphisms is simply functional 
composition and the identity morphism on a dcpo A is simply the identity func- 
tion on A. 

The terminal objects of D are precisely the dcpos with exactly one element. 
We fix our attention on {*} which we refer to as 1 D - The product of two 
dcpos {A, C A ) and (B, Q B ) is the cartesian product of A and B ordered com- 
ponentwise, i.e. (AxB,C. A xB ), where AxB = {(a,b) | a £ A and 6 e B} and 
(a, b) Q AxB (a 1 , b') iff a Q A a' and b Q B V . The exponent {A, O a ) -► (B, tZn > 
is defined to be (A -* c B,\^ A -* c b >, where A -^ c B is the set of continuous 
(wrt. Q A and Q B ) functions from A to B, and Q a ^ c b is the standard "point- 
wise ordering"— namely / Qa-> c b 9 iff for all a 6 A, f(a) C B g(a). From now 
on we write -+ for — » c , A for the dcpo {A,Q A }, and when obvious from the 
context, we drop the A from C. A . 

Two other constructions in D that we will later be using are: 

• Lifting: A± is an copy of A augmented by a new least element ± 

• Partial exponentiation: A -- B is the set of all continuous partial functions 
from A to B, ordered pointwise. Note that in D, A -> B is isomorphic to 
A-+ B ± . 



3.3 Constructing the C.C.C. 

We now define the analogous constructions in the category D x . These defini- 
tions are taken almost directly from [24, Chapter 9], although throughout the 
presentations we are careful to maintain the distinction between — » (a morphism 
in some category) and => (the internal horn- functor of some category). In this 
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X 

Section we decorate — ► with the category in which it lies, e.g. f : x — >y is a 
morphism in the category X from x to y. We also decorate =>• with the category 
in which it lies, e.g. A=>r>B is the object of D which is the cpo of continuous 
functions from A to B. After this Section, we will typically drop the decorations 
on — ► and =>, and may in fact even use — ► for => when it can easily be disam- 
biguated from the context. When working in D, we will also leave implicit the 
isomorphism between / : d\ — *d 2 as a continuous function from <fi to d 2 , and 
/ G (rfi=>-D^2) an element of the cpo which is the exponential object. 

Much of the structure of these constructions in D x is inherited from that 

of D. Take F, G G obj(D x ), namely functors from X to D; x,y,z G obj(X), 

x x 

namely arbitrary possible worlds; and let / : x — >y, g : y — >z be arbitrary X- 

morphisms from x to y and y to z, respectively. The constructions are then as 
follows: 

• Terminal object, l D x (remember 1 D = {*}): The behavior on worlds is 
l D x(x) = Id = {*} an d the behavior on morphisms is l D x(/) = idi D = 
id { » } . 

• The product object, Fx D xG: On objects (Fx D xG)(i) = F(x)x D G(x), 
ordered componentwise. On morphisms, we have 

(Fx D xG)(/) [(</,<*') £ F(x)x G(x)] = (F(f)d,G(f)d'). 

• The exponential object, F=> D *.G: 

(^DxG)(l) 

X X 

for all / : x — >y and g : y — >z, 



m(f);G(g) = F(g);m(f;g) 



me H [F(y)=» D G(y) 

x 

j:x >y 

ordered pointwise (i.e. mi C m 2 iff mi(/) C. m 2 (/) for every / : x — > y), 
where 

n •■•»■■■ 

X 

j .x >y 

here and in later definitions is an abuse of notation which stands for 

TT • • • codom / • • ■ , 
/ex(»v) 

where X(r, •) is the set of all X-morphisms with domain x. The behavior 
of this construction on X-morphisms, / : x — >y, is defined to be: 

(F=> D xG)(/ : x±*y){m G [F=> D *G]x)(g : y^z) = m(f;g) 

Tennent provides the following motivation for the exponential construc- 
tion: 
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To motivate the => construction, consider that a procedure 

defined in possible world x might be called in any possible world 

x 
y accessible from x using any X-morphism / : x — >y, and it 

is the domain structure determined by y which should be in 
effect when the procedure body is executed. This suggests that 
we cannot just define (F=>- D >.G){x) to be F(x)=>r>G(x); the 
meaning of a procedure defined in possible world x must be a 
family of functions, indexed by X-morphisms / : x — *y. But 
such families of functions must be appropriately uniform; . . . 
[24]. 

The uniformity condition is the commutativity of all diagrams (in D) of 
the form 



F(y) 



m(f:x—>y) 



G(y) 



(3.1) 



F(g:y-*z) 



G(g:y*z) 



F(z) m((/;5): ^ ) , G(z) 



There are several other useful constructions, which are not directly a part of the 
c.c.c. structure of D x . For example, we have the lifted object, F± x : 



F± D Af)[d e f Ld (x)} = 



J_, ifd=J_, 

F(f)(d) in F LD (y) otherwise. 



We also have a construction for partial exponentiation, which will be similar to 
the construction for (total) exponentiation; however, the uniformity condition 
on elements of the resulting cpo will not be as stringent. Specifically, we have 



(i^ D x G)(x) 






me J] [F(y)^ D G(y)] 



/:*- 



X X 

for all / : x — *y and g : y — >z, 

m(f);G(g)CF( g y,m(f;g) 



ordered pointwise (i.e. mj C. m 2 iff rni(f) C m 2 (f) for every f : x —>■ y). Notice 
the two differences in the definition of -^d x from the definition of =>d x : we 
do comprehension over the underlying set of partial continuous functions from 
F(x) to G(x), and we have changed the "=" to a "C" in giving the constraint 
m U)\G{g) C F(g);m(f;g). The effect of this second change is to weaken the 
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uniformity condition suggested in Diagram 3.1 to only require commutativity 
when the result of the partial mapping along the top of the Diagram is defined, 
giving Diagram 3.2. 



F(y) 



(3.2) 



F(9 ■■y~') 



F(z) 



m(f:x-*y) 



C 



m((f;g):x—>z) 



G(y) 



G(g : y — z) 



G(z) 



Note that, even though in D, A=>B± is isomorphic to A — >■ B, this is not 
generally the case in D x . 

Similarly, we can introduce indexed products. Specifically, if 7 is a denumer- 
able set and for every i £ I, F[i] is a functor from X to D, then we can define 

D x 

the object, Yl ieI £>,, by 



Kiel 



J] F[i\ (x G obj(X)) = J] (F[i\w) 
\i ) iei 

n D W)(/:*^*') = n D (w) 



Ki£l 



«£/ 



3.4 A Model of EoA 

3.4.1 The Category of Possible Worlds, W 

The intuition behind the category of Possible Worlds is to provide the "shape 
of the state" (i.e. the set of allowable states) during program execution, and to 
show how one state shape evolves into another. The category of possible worlds 
has state shapes as objects and "store evolutions" as morphisms. There are 
two principle kinds of operations performed on state shapes in Tennent's work 
(although many others are allowed). The first is an "expansion" to correspond 
to allocating a new variable. The other is a "restriction" operation by which 
we restrict the set of allowable states to include only those states which satisfy 
a certain property. 

For our model of EoA we will use as the category of possible worlds, W, a 
category of state shapes. Specifically, an object of W is any subset of N n for 
any integer n. The set of objects of W is closed under subset, intersection and 
product (if we interpret product as concatenation of sequences). A morphism 
from the world X to the world Y is a pair (/, Q), where 

1. / is a function from the set Y to the set X . 

2. Q is an equivalence relation on the set Y. 
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3. / restricted to any Q-equivalence class is injective; i.e., for all y, y" £ Y if 
yQy' and f(y) = f(y') then y = y' . 

When (/, Q) is describing a pure "restriction" operation, Y will be a subset of 
X. Furthermore, Q will turn out to be Ty (the everywhere-true binary relation 
on V), and / will simply be the injection of Y into X. When (/, Q) describes a 
new variable allocation, Y will be X x N, Q will be denned so that 

(x .n )Q(xi.ni) iff n = n x , 

and f(x.n) = x. Intuitively, / extracts the old portion of the stack which is 
embedded in the new one, and Q relates new stacks which have the same "new 
components" (but possibly differ on the old part). 

We define composition (in diagrammatic order) of W-morphisms, (/, Q) : 
X — Y , and (g , R) : Y — Z as follows: (/, Q); (g, R) = (h, P) where: 

• Hz) = f(g(z)), 

• z Q Pzi iff zqRzi and g{zo)Qg{z\). 

Thus the identity morphism of W at world X, idx : X — ► X, will be (I x , Tx), 
where Ix is the identity function on X, and Tx is the everywhere-true binary 
relation on X. 

We introduce the following useful notation for abbreviating some common 
restriction morphisms. Specifically, if X' is a subset of a world X, we have 
the state-set restriction morphism, \X' : X — ► X' , denned to be (/, 7x')> 
where / is the inclusion function from X' to X and Tx 1 is the everywhere-true 
relation on X' (The notation \X' does not completely specify a morphism of 
W, as it also depends on the object X. Thus we will make sure that the X 
in question will always be clear from context). Similarly we introduce a useful 
notation for abbreviating some common expansion morphisms. Specifically, 
we define morphisms xN : X — ► X x N, for which the function part is the 
projection from X x N to X, and the equivalence relation part relates xo-n 
and x\.n\ iff no = n\. As with our notation for \X' , although the notation xN 
does not identify a morphism uniquely (as we need to know which object X 
is), the intended morphism will always be evident from the context. In future 
discussions, we will let the metavariables X,Y,Z,... range over objects of W, 
and we will let x , x\, . . . range over X, etc. 

3.4.2 Interpreting Types 

The base types of EoA are exp and comm. An integer thunk (exp) is essentially a 
function which given a store, returns an integer — or is undefined. A command is 
essentially a function which given a store returns another store — or is undefined. 
Notice that in describing both of our base types, we have functions of stores 
arising. In fact, in our semantics it is only in the definition of the base types 
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that functions on stores arise directly. Given our intuitive description of exp and 

com m it seems that we should first describe a meaning for stores and for integers, 

and then we are looking for something like: [exp] = 5=>N, [comm] = S=t~S, 

and for higher types: [0 -+ t] = [0\=>[t\. 

So what are the functors S and N? S is the contravariant functor which, 

given a store shape X, gives a discretely-ordered dcpo with X as its underlying 

set. In order to avoid getting bogged down in notation, we will often simply 

w 
write X to denote S(X). To define S on morphisms, we take S(f, Q : X — *Y) = 

f . s(Y)^S(X), the projection from Y to X along /. The functor N is the 
constant functor which in any world returns the set of non-negative integers, 
considered as a discrete dcpo. N applied to any morphism simply returns the 
identity on the natural numbers. 

Note that since S is a contravariant functor, it is not an object of D . 
O'Hearn and Tennent [12, Section 4] give a good explanation of why we need 
5 to be a contravariant functor. We adapt the conclusion of their discussion 
to our setting. There is a variant of the exponential construction used in D w 
which works on contravariant functors to yield a covariant functor (which is an 
object in D w ). The definition of the contra-exponentiation for S => Nj. is 
defined just like the usual exponential, but with a reversal of vertical arrows in 
uniformity diagrams to account for contravariance. That is, e(-) £ (5 => Nj_)X 
is a family of functions, indexed by morphisms out of X, such that 



y 


C W 1 


■ N L 


•S(fl)j 




j id N. 


z - 


<f;s) 


■+ Ni 



commutes, where / : X — ► Y, g : Y — ► Z. The morphism part manages to be 
defined as before, namely (5 => N L )fmg = m(f;g), thereby yielding a covariant 
functor. 

We could try doing the analogous flipping of the arrows of Diagram 3.2 for 
defining [comm] = 5 — ' 5, giving the following: 



Y 



(3.3) 



S(g ■ y -~ z) 



m(f:x-*y) 



D 



m((f;g):x-+z) 



Y 



S(g -y -*) 



Unfortunately, as discussed in [13], this does not impose enough uniformity 
constraints on the behavior of command meanings. On the other hand, using 
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S=>Sj_ imposes uniformity constraints that are too strong. They find a good 
compromise by making [comm] a subfunctor of S —- S as follows: 



[commp) 



{ 



c€(5-5p) 



for all (/, Q) : X^Y, and (g, R) : Y^Z, and ztZ, 
S(\Z'); c((f, Q); (g, R)) = c((/, Q); (g, R); \Z'); S( \Z'), 

where Z' = {«' | ziiz'} 



The extra condition above enforces an additional commutativity requirement 
arising from the equivalence-class component of the morphisms. Specifically, 
for any (/, Q) : X — Y , and y £ Y, let 

y' = {1/ € S(Y) I 2/Q2/} 

(the set of states Q-equivalent to y); then 

c(f,Q) 



Y 



Y 



S(\Y') 



s(fy') 



y 



<=((/,Q);ri") 



y 



must commute (and not just semi-commute). This insures that, when it is 
defined, c(/, Q) preserves the Q-equivalence class of its argument. 
For the behavior of [comm] on morphisms, we still have: 

[comm](/)(c)(j) = c(/;j) 

There is one other important special case of the commutativity property for 
elements of [comm]I, which is a consequence of the "semi-commutativity" of 
(5 — ' S)X. This special case is expressed by the following Lemma. 

Lemma 13 Let c £ (|comm])(X) or, more generally, c £ (S -^ S)X . Lei 
(f,Q) : X — ► Y. Finally, let (g,R) : Y — ► Z be an isomorphism in the cate- 
gory of possible worlds (then g is a bisection from Z to Y, and R is Tz — the 
everywhere-true binary relation on Z). The following diagram commutes: 

c(j,Q) 



Y 



Y 



S(g,R)=g 



S(g,R)=g 



c(f,Q;g,R) 



In other words, c(f, Q)(g(z)) = g(c(f, Q; g, R)z). 

Since g is a bijection, the constraint expressed by the commutative diagram can 
also be expressed as c((/, Q); (g, R))z = g~ 1 (c(f, Q)(g(z))). 
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3.4.3 Interpreting Constants and Terms 

In Chapter 2, we defined the syntax of EoA by giving some constants and three 
primary ways of constructing new terms from old: A-abstraction, application, 
and new-variable declaration. To define our semantics we will need to provide 
the meaning of the constants, and we will also need to provide a way of finding 
the meaning of terms constructed using A-abstraction, application and new- 
variable declarations. The general methods of providing these interpretations 
using c.c.c.'s is very well established, except for the case of new-variable dec- 
larations. For concreteness, we show specifically what all of these look like for 
our model of EoA. 

The meaning of a term of type 6 is a morphism from Env to [0]. For 

D w 

the meanings of constants we directly give [n] : Env >[exp] and [skip] : 

Env — — >[comm]. Assuming X and Y are arbitrary worlds, u G Env(X), / : 
X >Y and y 6 Y , the definitions are 

{nJXufy - n 
[skip]Xu/y = y. 

We uncurry all of the other constants in order to simplify the presentation. For 

a constant c of type 0i — ► n —> r, we indirectly give its meaning (which 

is a morphism from Env to 6y —> >■ 9 n — ► r) by providing a morphism from 

6iX • ■ ■ x9 n to r. These interpretations are shown in Figure 3.1, where X and 
Y are arbitrary worlds, / : X — *Y is arbitrary, and y is an arbitrary element 

of y. 

To obtain 

| c «, «a-r j . Eny _ [fli ^ vO n -+T\ 

from 

we take advantage of the curry isomorphism, between the horn sets hom{\9i\ x 
• • • x [0„], [r]) and ftom(l, [0i] => • ■ • \0 n \ => [r]). So, we will end up with 

[c*]=!Env;(curry([c'] uneurry )). 

For concreteness, we show how to obtain [plus] from [plus] urlcurry . 

[plus](X)(u)(/)(ei)(<7)(e2) = [plus] u „ CUI . ry Z([exp](/;ff)ei,[exp(sf)e 2 ]>, 

and so 

lp\us}(X)(u)(f)( ei )(g)(e 2 )(h)(w) 

= [plus] u „ currs Z([exp](/;</)ei,[exp(flf)e2]>/iu; 

n + m if ei(f;g;h)w = n and e 2 (g;h)w - m, 
-L if ei(f;g;h)w = A. or e 2 (g; h)w = _L, 



33 



[IFexp sxp ]uncurr!/^{eo,ei,e2)/2/ = 

[IFexp comm ]u„ c „ T - rv X(e,ci ) C2)/j/ = 

[succ] uncurr!/ Xe/j/ = 

[plus]uncurr !/ ^(ei,e2)/j/ = 

[seq] u „c U rr«X{c 1 ,c 2 )/j/ = 



ei/j/, if e fy = 0, 
e 2 fy, it eofy = n + 1, 
_L, otherwise. 

cify, it efy -0, 

C2fy, if efy = n + 1, 

undefined, otherwise. 

re + 1, if efy — n, 
± if efy = _L. 

n + m, if eify = re and e 2 /t/ = m, 
_L if ei/y = _L or e 2 fy — -L. 

C2/3/', iic 1 fy = y', 

undefined, if c\fy is undefined. 

the least fixed point of m(idx)- 



Figure 3.1: Meanings of EoA constants 

In the case of Y s it is not obvious that the specified least fixed points always 
exist, as the objects of D w are arbitrary functors into D. Since many objects of 
D are bottomless, it is definitely not the case for every element m of an arbitrary 
functor F at an arbitrary world X that m(idx) has a least fixed point. Moreover, 
it is not necessarily the case for arbitrary worlds X and Y that the fixed points 
if they were to exist would fit together well enough for [Y^] to be a natural 
transformation (a morphism in D w ). In [14, pages 26-28], it is argued that for 
all of the types we use (and some more), all of the necessary least fixed points 
do exist, and they do fit together naturally. 

Application and abstraction are understood using the standard c.c.c. struc- 
ture of D w . When M :6 —> r and N : 9, [(M N)} is a natural transformation 
from Env to [r]. Specifically, for an arbitrary world X and u £ Env(X), then 

[(M N)\Xu = lMlxuid x {lN\Xu). 

We can see how this comes from the c.c.c. structure of D w by observing that 

D w 

the definition of eval^s : [A=>B]xA >B, is: 

evaU,B^{/, a) = fidxa. 

The meaning of the term (Xa e . M):d-+risa natural transformation from 
Env to \9 -► t\. Taking X and u as before, / : X -> Y and v £ [0]Y, we have: 

l(\ a e . M)}Xufv = lM}Y((Euv(f)u)[v/ a e ]). 
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We do a little bit of preliminary work before giving the valuation for New 
blocks. First, we define the new acceptor and expressor which are allocated in 
world X. Formally we define the functions: 

anew : obj(W)- |J H(XxN) 
xeobj(vv) 

e„ ew : obj(W0- |J [«xpK*xN) 

XEobj(W) 



Given arbitrary worlds X, Y, Z, and arbitrary morphisms (/, Q) : X 

(g, R) :Y — ► Z, and given states y £ Y , z £ Z , we let 

a n ewW(/,Q)(e)( ff) iJ)2; = z' 
e m „(X)(f y Q)y = 



Y, 



In the definition of o n 



v where g(y) = x.v. 
z' is the unique element of Z such that 



1. f(g(z')) = x.(e(g,R)z), provided x.n = f(g(z)). If e(g,R)z = ± then 
a new is undefined. 

2. z/Jz' and g(z)Qg(z'). 

There need not be a state z' satisfying the above two conditions, in which case 
the result is undefined; however, if such a state does exist, it must be unique by 
the injectivity property of (/, Q); (g, R). 

We further abuse the notation "xN" and define it as a function from W- 
morphisms to W-morphisms. Recall that we also use the notation xN as a 
function from W-objects to W-objects. We also have morphisms xN : X -* 
X x N for which the function part is the projection from X x N to X, and 
the equivalence relation part relates x .n and X\.n\ iff n = «i. These three 
aspects fit together quite closely; in fact, if we just viewed xN via its behavior 
on W-objects and W-morphisms, then xN would be a functor from W to W. 
Given (f,Q) :X^Y,we define (/, Q) x N = (f',Q'), where f'(x.n) = x, and 
{x .n )Q'(xi.ni) iff x Qx x . A valuable property of how they fit together is that 
for any W-morphism (/, Q) : X -* Y , the following diagram commutes: 



X 



<N 



-> X x N 



(/.0) 



(/,Q)xN 



Y — ^^ Y xm 
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The valuation for New blocks is then: 



[Newt, k - Em PjXufy = S(xW)([P](X x N)u'(/ x K)(y.(lE\Xufy))) 

where u' = (Env(xN)uJ [a new (X)/i, e nevl (X)/K}. 

This definition is essentially the same as that of [25], except there is a little 
bit of extra work here. The extra work arises from two particular aspects of 
EoA which are different from Reynolds's essence of ALGOL: the initial value 
for the location given by E and taking ace as a type synonym for exp — <■ comm 
rather than taking it in such a way as to have [ace] = N — > [comm]. 



3.5 Definitions Needed for Adequacy 

Given our style of operational semantics for EoA, we will also need to assign 
meanings to configurations. This will require several more steps. The state in 
the configuration provides us with two important pieces of semantic information. 
First, the possible world in which to interpret the term part of the configuration 
will depend on the length of the state. Second, the state component of the 
configuration gives us the semantic state to which we apply the meaning of 
the term part of the configuration. We then show how to turn a binding into 
its semantic analogue — an environment. In the last Section, we show how to 
combine these extra semantic pieces of information with the meaning of the 
term in order to figure out the denotation of the configuration. 

3.5.1 A Sequence of Worlds 

We first define a sequence of possible worlds Xi such that Xi is the smallest 
world useful for finding the meanings of all closed lterms [M, B] : comm where 
index(B) < i. We let X n = N n = {states of length n}. Alternatively, if we 
had viewed Xi as the smallest world appropriate for finding the meanings of all 
configurations whose state part has exactly length i, we would have reached the 
same definition. 

We will let ej. denote the expressor for world Xj which reads from the k-th 
location. So 

el = A(/, Q):Xi-+ Y.Xy € Y. proj(/(y), k). 

To see that this works right in a simple case, we observe: e' k (\dx,){x) = 
proj(x,fc). 

Similarly, we define aj. to be the acceptor for world Xi which writes to the 
k-th location: 

4 = A(/, Q) : Xi — Y. Xe £ [exp]Y. \(g, R) : Y — Z. \z £ Z. z' 
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where z' is the unique element of Z such that update(/(#z), k, e(g, R)z) = f(gz') 
if it exists. It is possible that no such z' exists. If one exists, however, it is 
guaranteed to be unique by the injectivity aspect of W morphisms. As a sanity 
check, we see that: 

a , fc (idx,)(e)idx.(a;) = update(x, k, e(id Xi )x). 

The following Lemma shows how a£ lines up with a new and how ejj; lines up 
with e new . It is easily justified from the definitions. 

Lemma 14 Let k > 1 then a£ - a new (^i-i), and e k k = e new (Xt_i) 

The final important consistency property for a* fc and ej. (which also comes 
by examining the definitions) is given by the following Lemma. 



Lemma 15 Let 1 < k < i. Let (/, Q) = xN x • • ■ x N then a* fc = [acc](/, Q) a. k 
and similarly e' k — [acc](/, Q) e\. 

3.5.2 Meanings for Bindings: Environments 

There is one technical difficulty in defining the denotations of bindings. The 
meaning of a binding, B, cannot be a global element of Env (viz. a natural 
transformation from 1 to Env). To see this, we consider the binding B which 
maps k (an identifier of type exp) to 1. Thus [B] should be such that: [fl]X 2 «; = 

e^ . Now consider the endomorphism /, Q : X 2 >X 2 , where f((x,y)) = (y,x), 

and Q = Ax 2 — the equality relation on X 2 . If [B] were natural, then we would 
have to have 



[exp](/,Q)([fl]X 2 /0 = e 



But, as the left hand side is equal to e|, we have a contradiction. 

On the other hand, the meaning of a binding cannot be world-independent. 
We observe that the only time in which we use the meaning of a binding is to find 
the meaning of a configuration. Furthermore, the meanings for configurations 
are defined in worlds of a very special form (an X t for some i). It is therefore not 
surprising that we will only be needing the meaning of an environment in one 
of the Xi's. Moreover, for any of these worlds it is quite clear what the "right" 
meaning of the above B is at k.. The right meaning is e\. We therefore take 
the meaning of B to be a function from N to |J. Env(A',-)— actually the domain 
of [5] is {n | n > index(5)} rather than N. {BJ will have the property that 
fBji G Env(Xi). Specifically, we define [fl]i, for all i > index(B) as follows: 

{ej if B(a e ) -j and 8 = exp, 

aj iffl(a*) = j and = ace, 

J-[$]Xi otherwise. 

We conclude this Section by mentioning the following important Lemma about 
fS] which follows immediately from Lemma 15. 
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Lemma 16 Suppose i > 'mdex(B), then 

m 

[B](i + m) = Env(xN x • • ■ x N)([5]i). 

3.5.3 Interpreting Configurations 

We have a natural transformation from worlds to cpo's to interpret terms. We 
have a way to choose the world appropriate to any given state. We are able to 
think of a state as a semantic entity. We have a function which takes a binding 
and state length (world) to give an environment. How do we put these together 
to interpret a configuration (M, B, a) with length(cr) = i by: 

lM}Xi{{B\i) for M of higher type, 

[M]X;([Bji) id Xi cr for M of base type. 

The following Lemma provides an important consistency result between our 
interpretation of configurations and the way the model interprets New blocks. 

Lemma 17 Let (New i, k <— E \n P,B,a) be a program configuration 1 = 1 + 
length(cr), and B' = B[1/i,1/k]. Furthermore, suppose \{E,B,o-)\ = n ^ _L. 
Then the following always holds: 

[(Newt, k - E\nP,B,a)} = S{xN)(l{P,B',<T.n)}) 

Proof: 

[(Newt, k — n in P,B, a)} 

= [New i, k - n in P](X,-i){[B](l - l))^,.,)^) (def of [(•, •, ■)]) 
= 5(xN)([P](XxN)(u')(idx,_ 1 xN)(«7.n)) (def of [New ■ • •]) 

= S(xN)([P](X x N)([5'10(idx,)(^.n)) (see below) 

= 5(xN)([(P,fl',<r.n)]) (def of [(-,-, •)]) 

We have idx,_, xN = id*, simply by virtue of the definitions of X\ = X\ x N 
and the behavior of xN on W-morphisms. For [B'\l = «', we first note that u' 
is defined to be 

(Env(xN)([B](/-l)))[ a n ew (^-i)/i,ene«,(^-i)/«]- 

By definition of B' , [5']/ = ([B]/)[a| /i,e\ /«:]. So, by Lemma 16 we have 

[B']l = (Env( xN)([i?](/ - 1))) [a{ /i, e{ /«] 

Lemma 14 gives aj = a neuj (X,_ 1 ) and e{ = e ne wpO-i), from which we can 
conclude [5']/ = u' as required. ■ 
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Chapter 4 

Adequacy 



In this thesis, we have formally denned EoA, an ALGOL-like language which is a 
variant of Reynolds's essence of Algol. We have given two different definitions 
of the semantics for EoA. In Section 2.3 we gave an operational semantics for 
EoA via a set of Plotkin-style SOS rules. In Section 3.4 we gave a denotational 
semantics for EoA using the category of functors from state shapes to bottom- 
less epos. Each semantics carries with it a natural notion of equality between 
terms in EoA. It should be relatively clear that our operational semantics for 
EoA is "correct" (in the sense that it matches how we expect EoA code to 
behave). It is not nearly so clear that the denotational semantics for EoA is 
"correct." Thus to show the "correctness" of our denotational model we need 
to tie its behavior to the behavior of our operational model in a mathematically 
rigorous way. Ideally, we would like for this connection to be that equality in 
our denotational semantics coincides with equality in our operational semantics 
(observational congruence). When we have this correspondence exactly, we call 
the denotational model fully abstract with respect to the operational model. 
Unfortunately the semantics of variable allocation (for either block structured 
allocation or dynamic allocation) has resisted several attempts for fully abstract 
models. Meyer and Sieber [9] provide a good summary of this difficulty. Al- 
though, as we discuss in Chapter 5, some progress has been made towards full 
abstraction, it looks like we are still quite far away. For example, the denota- 
tional model considered here is not fully abstract for EoA [13]. 

A denotational model which is adequate, but not fully abstract, can still be 
very useful for deducing observational congruences and other properties of code. 
Any equalities between terms which we are able to prove using such an adequate 
denotational model are also observational congruences between terms. Thus, if 
we establish that our denotational model is adequate, then at least we can say 
that any equalities which we prove denotationally are "correct." Unfortunately, 
since the denotational model is not fully abstract, it will not be possible to prove 
all observational congruences denotationally. 
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Section 2.5 contains the precise definition of observational congruence (— i, s ) 
for EoA. The goal of this Chapter is to prove the following theorem 

Theorem 18 (Adequacy) The Tennent model defined in Section S.J, is ade- 
quate for EoA. That is, for all EoA terms M, N, 

[M] = {N} implies M = obs N 

Since the Tennent model is compositional, we need only prove: for all completely 
closed EoA commands P u P 2 , [Pi] = [P2] implies Pi = obs P 2 . 

We will prove this theorem in two steps. First we will show that the eval- 
uation relation preserves denotation (soundness), that is, if 7 € C U C and 
y—> c j' then [7] = [7']. Then we will prove that (at least for programs) deno- 
tation determines the final result of evaluation. That is, if [(P, B, a)} = a' then 
(P, 5, <r)-»,c (skip, 5,0-'). This result combined with the fact that — ►£ is the 
graph of a function gives the result that meaning determines observation, the 
key property of adequacy. It is then a simple task to prove the precise statement 
of Theorem 18. 



4.1 Soundness 

Technically we only need the result of soundness for program configurations 
(configurations whose term part is a program), however the proof requires a 
somewhat more general induction hypothesis which is captured by the following 
Theorem. 

Theorem 19 (Soundness) Let 7 G CUC. Suppose j^cl' then [7] = [7']. 

Proof: The proof divides into two separate cases, depending on whether 
7 G C or 7 6 C. The case of 7 G C is a simple induction on the derivation 
of 7— >- £ 7', (see Figure 2.3 on page 17). The subcases of the rules (beta) and 
(eval-operator) fall right out by the standard ccc properties of the model. The 
subcase of (rec-unwind) is slightly more complicated than usual, but still easy. 

The case of 7 = (Q,B,<r) G C is also a simple induction on the derivation 
of y^ C f' (see Figures 2.4 and 2.5 on page 18, and also the rule (interaction)). 
The subcase of (interaction) comes directly from the preceding case for 7 G C. 
We will show the case of the rule (New-eval). The other cases are uninteresting. 

Recall the rule (New-eval): 

(P,B',<T.n)-> c (P\B>,<T'.n>) 



(New /., k <- n in P, B, o-)-> £ (IMew 1, n <- ri in P', B, a') 
where 1=1 + length(cr) and B' = B[l/i, //«]. So suppose 

(Newt, k *- nin P, B, <r)^ £ (New t, k <- ri in P',B,a'), 
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because (P, B' , a.n)-> c {P', B' , a'.n'). Then, 

[(Newt, k *- n'mP, B,<t)} 

= 5(xN)([(P,5',(T.n>l) (Lemma 17) 

= S(xN)([(P',B>'.n')]) (induction) 

= [(Newt, k <- n'inP',5,0-')] (Lemma 17) 

exactly as required. ■ 



4.2 The Computability Relation 

The following Theorem expresses the other half of the adequacy proof. To 
prove this Theorem we use the method of Logical Relations, following very 
much along Plotkin's lines for PCF [18]. The proof we give uses a syntactic 
unary logical relation on lterms. The modern trend in adequacy proofs (see 
[10]) has been to use a inclusive binary logical relation between elements of the 
denotational model and syntax. We have also proven the Theorem using this 
modern method. There are various tradeoffs between the two methods. The 
unary relation requires substantial syntactic work to handle the constants Yg. 
On the other hand, parameterizing the model by worlds and extending terms to 
lterms complicates the relationship between the model and syntax. We are thus 
unable to come up with a single binary relation between the denotational model 
and syntax. Instead we require a distinct relation for every possible binding. 

Theorem 20 For all Program configurations (P,B,a), 

if l(P,B,a)} = a' then (P, B, <7)-» £ (skip, B, a'). 

We prove this by induction on the structure of terms. The induction hypoth- 
esis is stated in the form of a Logical Relation. More precisely, by induction on 
types we define a series of predicates on lterms which we will call comp e . Our 
goal will then be to prove by induction on the structure of terms that all lterms 
of type 9 have the property compj. 

The task remaining is to find an appropriate definition of compj (for all 
types 9) and then to prove that all lterms [M, B] : 9 has the property comp fi . If 
[M, B] : 9 has the property comp s then we call [M, B) computable. We define 
the relation comp, on lterms [M, B] by induction on types as follows: 

1. We have two subcases for closed lterms [Q, B] of base type: 

(a) [Q,B] :comm. Let i = index(B). [Q,B] has property comp comm iff 

VaGl,: 

l(Q,B,a)} = a' implies (Q, B, cr^^skip, B, a 1 ) 
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(b) [Q,fl]:exp. Let i = index(B). [Q,B] has property comp exp iff V<r G 

l{Q,B,a}p = n^ L implies (Q,B,cr)-»c{n, B,<r) 

2. [M,B]:0—>t is closed. [M, B] has property comp 8 ^ T iff 

For any closed lterm [N, B]:0, the closed lterm [(M N), B] has 
property comp T . 

3. [M, B] : 6 is open. Let Dom(^) - Dom5 = {a? 1 , . . . , a 9 k k }. [M, B] has 
property comp fi iff 

For all sequences of closed lterms [N\ , B] : 0i , . . . [Nk , B] : k 
having properties comp^ , . . . , corap, fc respectively, the closed 
lterm [M[Ni/a[ l ] • • • [N k /a e k k ], B] has property comp,. 

In other words, [M, B] has property comp, if all closed instantiations of 
[M, B] by computable closed lterms is computable. 

Of course, in order for this to be useful, we make sure in selecting the defi- 
nition of comp, that if the closed lterm [P, B] has property comp comm then, for 
all states a, a' (with length > index(B)) 

l(P,B,a)j = a' implies (P, B, <r}^ £ (skip, B, a'). 

This requires one extra step from the definition of comp comm in the event that 
length(o-) > index(fl). This extra step can be done either purely operationally 
or via a combination of denotational and operational reasoning. We choose the 
latter. Specifically, let k be a fresh exp identifier, i = length(cr) and B' = B[i/iz]. 
Since k g FV(P), 

[(P,B,a)] = [(P,5»] = </. 

If we could also show that the closed lterm [P, B'] has the property comp comm , 
then (P, B',(r)-»c<r'- Finally, by Property 4 of -*c which was 

Let a g FV(<2) and i < length(er), then 

(Q,B,a)-+c(Q',B,cr>) iff (Q,B[i/ a ],<r)->c(Q',B[i/a],(T'). 
We can relate the behavior of {P, B',a) back to the behavior of (P, B,cr), getting 

(P,B,<t)-£(T ; 
as required. 
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4.2.1 Proving All Lterms Computable 

We prove by induction on the structure of terms, that all lterms are computable. 
We now carefully present the most interesting cases in the proof (although we 
defer the case for \ e to the next section). The base cases in a proof by structural 
induction are identifiers and constants. The inductive cases are applications, A- 
abstractions, and New-variable declarations. 

Identifiers come in three flavors. They are: an identifier appearing free in 
a lterm, an exp identifier appearing in the domain of the binding, and an ace 
identifier appearing in the domain of the binding. Consider an arbitrary such 
lterm [a 9 , B]. We have: 

[a e £ Dom(B)] Any instantiation of the lterm [a 6 , B] by a closed computable 
lterm [N,B]:9 is [N,B] which has property comp s (by definition). 

[9 = exp and 5(c* exp ) = i] Let j = index(5) and a G Xj. In this case we have 
[(a exp ,S,cr)l = proj(cr,i) because 

[(««*, B,<r)] = la^jXjdBj^idx^ (def of [{•,-, •)]) 
= (ejid;c> (def of [B]) 

= Oi (def of 4). 

Operationally, the rule (variable-read) gives the desired result: 

{a"*,B,<r)-+c{pioj(tr,i),B,v). 

[6 = ace and B(a acc ) = i] Remember that ace is an abbreviation for exp — ► 
comm. We need to show for all closed lterms [E,B] of type exp, that the 
lterm [(a acc E), B] has property comp comm . Let j = index(5) and <t£Xj. 
We must show that: 

|((a acc E), B, a)] = a 1 implies ((a acc E), B, <r)^ £ (skip, B, a') 

As 

[(«"", B, a)j = WEflXjdBWidxttr (def of [(■,-, ■)]) 

{(<**« E)]Xj(lB}j) = a]id Xj ([i?]^([B]i)) 

(def of application and [51), 

we have a' = 4 id Xj ■ {\E\Xj<\B\j)) \A Xj a. The definition of 4 im- 
plies that there is an n G N such that lE}Xj(lB}j) id Xj -o - n and 
a 1 = update(<r, i,n). We assumed that [E,B] was a computable closed 
lterm with property comp exp , so (E, B, a)^* c (n, B, a). Finally by a simple 
induction on the length of the rewriting sequence (using the rule (assign- 
eval-arg)), followed by an application of the rule (variable-write) we have 

<(a acc E), B, a)^ c (a acc n, B, <r)— £ (skip, B, update(<T, i, n)) 

giving ((a acc E), B, <r)^>c (skip, B, up d&te(a,i,n)). 
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Constants other than Y e are also relatively straightforward to handle. The 
following examples represent all of the interesting issues. 

[n, B] Let i = index(P) and a € X { . Since [<n, B, a)} = [n]X;([B]z) id x , a = n, 
and (n, B, <r)^>c(n, B, a) we are done. 

[seq.P] Let i - index(P) and a £ X t . We need to show for all closed com- 
putable lterms [P\,B] : comm and [P 2 ,B] : comm that the closed lterm 
[(seq Pi P 2 ),B] has property comp [omm . Specifically, 

[((seqP 1 P 2 ),5,ff)] = <7 / implies ((seq Pi P 2 ), 5, <r)-» £ (skip, fl, <r'). 

Suppose [(seq Pi P 2 )]X;([P]i) id x , <t = <t'. From the definition of [seq] we 
can conclude that there is a or" G X { such that [Pi]X,([B]J)idx. c = <r" 
and [P 2 lXi([P]i)idx, c" = <r'. Our original assumption was that both 
[Pi,B] and [P 2 ,B] were closed lterms with property comp comm . Thus, 
(P 1 ,B,o-)-^ £ (skip,B,(T") and (P 2 , 5, cr")-^ £ (skip, B, a') An easy induc- 
tion on the length of the first rewriting sequence (using the rule (seq-eval- 
argl)) followed by an application of the rule (seq-discharge) then gives 

((seq Pi P 2 ), B, <r)-» £ ((seq skip P 2 ), B, <r")^ £ (P 2 , B,a")-*c{Mp, B, a), 

giving ((seq Pi P 2 ), B, <r)-t» £ (skip, B, a'). 

[plus,B] Let i = index(B) and a £ X { . We need to show that for all closed 
computable lterms [Ei,B] : exp and [E 2 ,B] : exp that the closed lterm 
(plus £1 Ei) has property comp exp . Specifically, [((plus E\, E 2 ), B, a)} = 
n / -L implies ((plus Ex E 2 ), B, <r)-» c (n, B, <x). So, suppose 

[(plus J Ei^ 2 )]X,([Pli)id x ,<r = n. 

By the definition of [plus], we know that there must be n x ,n 2 G N such 
that: 

[£i]Xi([5]i)id^ >0 - = m 

lEdXi{lB]i)id Xi <T = n 2 

n\ + n 2 — n 

As [Ei,B] and [E 2 ,B] are computable, we have (Ei, B, <r)-»c(ni , B, a) 
and (E 2 , B, a)-»c(n 2 ,B, a) Another two simple inductions on the length 
of these rewriting sequences (one using the rule (plus-eval-argl) and the 
other using (plus-eval-arg2)) followed by an application of the rule (plus- 
do) give 

((plus E,E 2 ),B,a)^c(n,B, a). 
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Applications fall out easily from comp, being a logical relation. The case 
of [{M N), B] closed is immediate. If [(M N), B] is open, Let M : 9 — r and 
N : 9 and let [L, B] be a closed instantiation of [(M N), B] by terms JV"i , . . . , N k 
such that each [Nj , B] (for 1 < j < k) is computable. L must have the form 
(M' TV') where M' and N' are instantiations of M and N respectively such that 
both [M',B] and [N',B] are closed lterms. By induction [M , B] and [N, B] 
were computable, and so [M 1 , B] has the property comp 9 _ T and [N 1 , B] has the 
property comp„. By definition of comp 8 ^ T , [{M' N'),B] has property comp T 
exactly as required. 

A-abstractions, [(Aa 9 . M),B]:9-*t. Let [L, B] be an arbitrary closed in- 
stantiation of [(Xa e .M), B] by computable closed lterms (same general method- 
ology as applications). In order to show that [L, B] has the property comp fl _ T 
we observe that L = (Ae/.M') where M' is an instantiation of all of the free iden- 
tifiers of [M, B] other than a 9 . The type 9 -> t can be uniquely rewritten to be 
of the form 9 -► 9 X -»■ ...9 k ~* P for some k > and /? £ {exp,comm}. To show 
that [L,B] is computable, it suffices to show, for arbitrary computable closed 
lterms [N , B] : 9 , . . . , [N k , B] : 9 k , that the ground term [(L N 7V"i ... N k ),B] 
has the property comp^. For concreteness, we show the result for (3 = exp. Let 
i - index(B) and a £ X { . Suppose \L N ■ ■ ■ N k JXi(lB}i)id x , <r = n ± _L, then 
by Soundness 

l(M'[N /a 9 ]) N x --- N k ]Xi([B]i) id*, tr = {LN --- N k ]Xi([B]i) id x , a = n. 

But [M'[N Q /a e ],B] is a computable closed lterm, therefore the closed lterm 
[((M'[N /a 6 ]) Ni ■ ■ ■ N k ), B] is also computable. We now have: 

{L N ■ ■ -N k , B,a)^c{(M'[N /a e ]) N x ■ ■ -N k , fl,<r)-» £ (n, B,a). 

New-declarations, [(New i, k *- E\nP),B]. Without loss of generality, 
suppose this lterm is closed. Let i - index(5) and a £ X{. By the identi- 
fier convention we may assume that t £ Dom(B) and k £ Dom(S). We must 

show that 

[(Newt, k «- E\nP,B,<r)] = <r l 

implies 

(Newt, k <— E in P,a)^>c (skip, a'). 

We make the following abbreviations: 

B' = B[(i+l)/i,(i+l)/K] 
n = lE\Xi(lB-]i)id Xi <T = [(E,B,a)] 

Suppose [(Newt, k <- E in P, B, a)} = a 1 . The fact that the New-block is 
defined tells us that n ^ 1. By induction [E,B] has property comp exp . Since 
[E, B] is a closed lterm, we have {E, B,a)-»c{n, B,a). Then 

(Newt, k <— E\n P, B, <x)-»,c(New t, k <— n'm P,B,a). 
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By soundness, [(New t, k ♦- E\nP,B,a)} = [(New t, k — ninP,5,<r)] = 
<r'. By Lemma 17, 

[(Newt, k - ninP,fl,<r)] = 5(xN)[(P,fl',«T.n)] = <7'. 

By definition of S(xN), there must exist an n' such that 

[{P,B',<r.n)] = a'.n'. 

But [P, B'] is a closed lterm with property comp comm . Note that we were not 
doing an induction on the structure of lterms, but an induction on the structure 
of (ordinary) terms. As, P is subterm of (New t, k <- E in P), this is a sound 
application of our induction hypothesis. Thus using the computability of [P, B'}, 

we have that: 

(P, B' ,a.n)-^c{sKp,B' ,a'.n'} 

An easy induction on the length of the rewriting sequence (using the rule (New- 
eval)) followed by an application of the rule (New-discharge) gives 

(Newt, k *- E\nP,B,a) -»c (New t, k — n in P, B, a) 

-»£ (Newt, k <— n' in skip, B, a') 
-> c (skip,5,rr) 

4.2.2 Handling Y 

As with PCF [18], the main difficulty in proving all terms computable is caused 
by the recursion operators, Y». Before we handle this last case, we need to do 
some substantial preliminary work. 

We make the obvious generalization of Plotkin's work to EoA. We ap- 
proximate Y» by terms Y^\ (for n > 0). To do so we first define terms 
fi«x P = Y exp (Aa"P. a ""), fi comm = Y comm (A Q " mm .a" mm ), and Q B ^ T = (Aa«.fi T ). 
We then define Y^ by induction on n as follows: 

Yg ' = Q(o-*e)^e and Y v s = (Ac* . (a (Y 9 a ))) 

We then have the following useful combinatorial properties for all W- worlds X, 
W-morphisms / : X -* Y, u € Env(X), and m G [0 -► 6}Y 

{YelXufm = [_\ (midy)" (±[*]x), 

n>0 

in s }xu = L [e]x , 

{Y^jXufm = (mid y ) n (± m x), 

[Y,]X« = IJilrfhXu-.n^O}. 

We define ^ to be the least relation between terms such that: 
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• Q 9 ■< M-.e and Y< n) < Y 9 for all 0, n > 0, 

• M <M, 

• If M : (9 -h. r) ^ M' : (0 — r) and AT : 9 ± N' : 9 then (Aa*'. AT) r< 
(Aa*'.A^'),and(MAf)X(M'Ar'), 

• If £:exp ^ £":exp and P:comm < P':comm then 

(New l, k *- E\nP)< (New i, k *- E' in i 3 ')- 

The following is the appropriate analogue of Plotkin's Lemma 3.2 [18] 

Lemma 21 If M < N , (M,B,<r) £C and (M,B,a}->c(M',B,(r') then either 
M' < N and a - a' or else for some N' and a', (N, B, <r)->c{N', B, a') and 
M' <N'} 

Proof: In order to prove the above Lemma we must first establish the 
analogous result for M—*cM', specifically 

If M < N, M-* C M' then either M' < N or else for some N' 
N^ C N' and M' < N'. 

The proof of the above result for M^ C M' is a simple induction on the 
derivation of M < M' . The proof of the Lemma itself is then merely a te- 
dious induction on the derivation of (M, B, a)—>c(M', B, a 1 ), with the case of 
(interaction) coming directly from the preceding result. ■ 

We are now ready to prove that all lterms with term part of the form Y« have 
the property comp ( ^ s) ^,. Let [Y 9> B] be an arbitrary such lterm. We start by 
observing that any type 9 is of the form t\ — ► r 2 -+ • • ■ — > r k — ► /?, where /? G 
{exp,comm}. To show that \Vg,B] has the property comp ( ^j)^ 9 , it is enough 
to show that for arbitrary computable closed lterms [N ,B] : 9 -* 9, [Ni,B] : 
n, . . . , [N k , B], the closed lterm [(Y g N ■■■N k ),B] has property comp^. The 
two cases for /? are essentially similar; we argue the case of (3 — exp. 

Let i = index(B), and a £ X{. We must show that 

[(Y„7Vo • • ■N k )}X i (lB}i)id x , a = c^±. 

implies that 

((Y s N ---N k ),B,a)^c(c,B,a). 

So assuming the hypothesis, we have: 

[Y«]Xi([B]i)idx, maidx, ■ ■ -id*, m k \d x , <x = c 

1 In order to avoid an endless profusion of "primes" and subscripts, we temporarily abandon 
our metavariable convention (for M and N) for the statement and proof of this Lemma. 
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Where mj = {NjJXidBji) (for < j < k). We remarked earlier that 

[Y,]*([fl]0 = U VtfhMlBW- 

n>0 

This will give us the following: 



U [Y« ]*i([ 5 10 id *. mo id *- ' ' ' id * • mk idx ' a = c 
U {l Y 9 n) ] X i(lB¥) idx, m id x , ■ ■ id*, m k id x , <r} = c 



n>0 



Since c G N, and N is flat, then there is a least n such that: 

[Y ( e n) lXi([B]i) id*, m id Xl • • • idx, m k id x , <x = c 
^ i) N Q ---N k \X i {\S\i)a = c 

All lterms with term part y/ n) are computable. A simple induction on n shows 
why. For the basis we have that [YJ}°\b] = [Q. {e ^ B )^9,B] is computable (for 
any binding B), since fi(#_ 9 )_ 8 denotes l [(8 _ tf )_,<,]. For the inductive case, 
[Y^ +1) ,5] = [(Xa"-* e . (a'-^Y^a'-' 9 ))),^], we use the earlier cases in prov- 
ing that all terms are computable (applications and A-abstractions) to show 
that if [Y ( s " } , B] is computable, then so is [Y e in+l) , B\. 

Consequently, (Y^ n) iV Q • • • N k ) has property comp exp . Thus, 

(Y<r ) N ---N k ,B,a)-*c(c,B,a) 

Finally, we apply Lemma 21 and so we can say that: 

{YeN ---N k ,B,<r)^ c (c,B,a) 
and thus conclude that [Ye, 5] is computable. 

4.3 A General Adequacy Theorem for Functor 
Category Models 

Until now we have focused our attention to Tennent's model of EoA. We ab- 
stract away the details of Tennent's model and decribe those properties of the 
model upon which the adequacy proof of the preceeding Sections depended. 
We limit our attention to models of EoA which use a functor category of the 
form D A where A is now permitted to be any small category. We assume [•] is 
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standard c.c.c. interpretation of EoA in D A . That is it is a specification of the 
category, objects for the meanings of base types, and morphisms for the mean- 
ings of constants. We assume that [0 -► r] is the exponent object [0] =>• [rj. 
We assume that meanings for applications and A-abstractions are found in the 
standard ways. 

Our conditions will provide constraints on what [exp] and [comm] must 
look like, and how the constants must fit together. It will also place some 
constraints between the interpretation of New blocks and the meanings for base 
type. Finally, we must also be able to find appropriate entites in the model to 
interpret bindings and states so that everything will fit together. 

Our first condition is a restriction on A. We must be able to find an ap- 
propriate sequence of worlds in A to model configurations with state part of 
length 0, and length 1 and length 2, ... To state this precisely we define the 
category NAT = <N, >). NAT has N as objects, and for n greather than or 
equal to m, it has a morphism n > m : m — <■ n. We require that there exist 
a covariant functor L : NAT -► A, in order to get off the ground. All of our 
constraints will be phrased in terms of L. In a generalized adequacy proof, we 
would use the object L(i) of A wherever we used the object X( of W in the 
old proof. In place the morphism xN* : X t -* X i+k , we now use the morphism 
L(i + k>i):L(i)-*L(i + k). 

We require that [exp](L(i)) "looks like" N ! -► N x , and that [comm](L(i)) 
looks like N* -+ N' x . So we require that ap exp (e, er), when viewed as a function of 
<7, is isomorphic to N' — ► Nj_ (wlog we assume it is equal). Similarly we require 
that ap comm (c, a), when viewed as a function of <r, is isomorphic to N' — ► N' x 
(wlog we assume it is equal). We should really index ap exp and ap comm by the 
world L(i) in which the first argument lives, but this should always be evident 
from context. We also require that [exp](L(m > n)) and [comm](L(m > n)) 
behave sensibly. Specifically, we require: 

ap„ P ([ ex P](' L ( m > »))( e M^--- v "0) =ap„p(e,(vi,...w n )), 
and 

ap C omm([exp](i(m > n))(c), (v u . . .v m )) 

(v' 1 ,...v' n ,v n+u ...v m ) if ap„p(c, {vi,...v n )) = {v' u ... ,<) 
J_ otherwise. 

We require that all of the constants other than Y e (n, skip, IFexp exp , seq, 
IFexp comm , succ, and plus) satisfy the obvious equations. For Y s , we require that 

lY e }(L(i))(f) = |J(/id L(0 )"(± [( , ](L(0) ). 

Finally, we must be able to find "locations" in the model which fit together 
properly with each other and with L. For each i and k < i we need to find 
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an acceptor a'^. £ [acc](L(z)) which corresponds to the acceptor for the k-th 
component of the state. Similarly we need an expressor e' k 6 |exp](L(i)). These 
must fit together as they did for Tennent's model, specifically, 

4 = [acc](L(i>t))aJ, 
el = [expKl(i->*))eJt. 

Finally, not only must they fit together properly, but they must behave like the 
right locations. The following condition is sufficient: 

. Tl ,\i k v v f update^, n, A:) if ap (e, a) = n ^ _L, 

aPco m m(aPacci(^)(a i ,e),T> = { ± otherwise 

ap« P ( e *.*> = proj(ff,*) 

We can then define the meanings for bindings as in Section 3.5.2. Finally we 
define the meaning of a configuration (M, B, a) with length(c) = i as follows: 

[M](L(i))([fl]») for M of higher type, 

[M](L(i))([5]i)idx, <* for M of base type. 

Lastly we need the appropriate analogue of Lemma 17, which is: for all 
program configurations {New i, k <— E in P, B, a), if {(E, B,a)}-n^l,l- 
1 + length(o-), and B' = B[l/i, 1/k}. 

[(Newt, k <- E\nP,B,a)} 

(«!,...,«/) if [(P,fl / ,<T.n>] = (wi,... ,w/,«/+i), 
_L otherwise. 

And that's all. 
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Chapter 5 

Comparing Models of Block 
Structure 



Although the field of denotational semantics has made many strides in its his- 
tory, there is still great difficulty in finding reasonable models of imperative 
features and variable allocation. The most commonly used model of imperative 
features is the "marked store" model, which is little more than an encoding of the 
usual operational semantics — providing little added insight to justify the addi- 
tional technical background required to understand the denotational semantics. 
A guiding concern in the design of a denotational semantics is for the semantics 
to be "fully abstract." A fully abstract semantics would by definition, contain 
precisely the information about a term that we require in order to understand 
its behavior in all contexts. In other words we would have "abstracted away" 
from all of the irrelevant details. As discussed in [9] the marked stores model 
fails very early on in the quest to full abstraction for block structured local 
variables. The failure results from an inability to fully understand the behavior 
of commands. 

5.1 Advanced Models of Block Structure 

During the 1980's several more promising models of block structure have been 
presented. Reynolds and Oles developed a model of block structure based on a 
category of functors from a category of state shapes to a category of bottomless 
epos [15-17,21]. The work of Reynolds and Oles has been simplified in Tennent's 
model of Reynolds's Specification Logic [25]. Tennent separated the issues of 
implicit coercions and block structure, which had been intertwined in the model 
of Reynolds and Oles. Tennent also found a few other technical simplifications 
of the appropriate category of state shapes which should be used for modeling 
block structure. In addition, to properly model interference (which helps in 
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understanding how higher order objects behave) Tennent further modified the 
category of state shapes and chose an "ad hoc" definition for [comm], rather 
than taking the functor 5 — 5. Finally, in order to model a principle of "non- 
interference abstraction," Tennent and O'Hearn [13] adjusted the category of 
state shapes which Tennent originally used in [25]. 

Along a different line, Halpern, Meyer and Trakhtenbrot developed a model 
[5] (now referred to as the HMT store model), which Meyer and Sieber [9] 
summarize as follows: 

Halpern-Meyer-Trakhtenbrot proposed a formal definition of the 
support of a function from Stores to Stores. Intuitively the support 
of a store transformation p is the set of locations which p can read or 
write. In the HMT store model [5], Prog [comm] is taken to be the 
set of p with finite support. To model local variables, the notion of 
support is extended to the type hoc — ► Prog of block bodies regarded 
as a function of their free location identifier. The semantical space 
used to interpret such block body functions is again restricted to be 
the elements in Loc L —> c Prog with finite support. Since there are 
an infinite number of locations, this restriction guarantees that a 
location can be found which is not in the support of any given block 
body. Then local storage allocation for a block begin new x; body 
end is (uniquely) determined by the rule that x be bound to any 
location not in the support of the function denoted by Xx.body. 

Meyer and Sieber developed what they called "The invariant-preserving model," 
which is now coming to be called the Meyer-Sieber model. This model validates 
the following reasoning principle: 

Let Q be of type comm— ► comm, and P of type comm. Let r be 
a property of states such that supporter) D support(Q) = 0. If r is 
an invariant of P, then r is also an invariant of Q(P)- 

None of the above models is fully abstract for EoA. We will now examine the 
relative merits of later models— the Tennent model, the O'Hearn-Tennent model 
and the Meyer-Sieber model. It is not obvious whether the Tennent model and 
the O'Hearn-Tennent differ in their equational theory. In fact it is not obvious 
which, if either, has the stronger equational theory. 

5.2 The Meyer-Sieber Examples 

Our discussion focuses on the Meyer-Sieber Examples [9]. Specifically, we ex- 
amine the statement of these examples in EoA and address how the Tennent 
and O'Hearn-Tennent models handle them. All but the last of the Meyer-Sieber 
Examples hold for the Meyer-Sieber model. All of the examples which can be 
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stated in EoA hold for the Tennent and O'Hearn-Tennent models. Since Ex- 
ample 6 critically uses the fact that the sample language is based on locations 
rather than variables, this example cannot be translated into EoA and thus it is 
not handled by the Tennent and O'Hearn-Tennent models. We will see in Sec- 
tion 5.3, slight perturbations of the problems will lead to either open questions 
or outright failures. 

Example 1 The block below is replaceable simply by the call P. 



begin 

new £•; 

p- % P is declared elsewhere 

end 

The translation of this block into EoA would something like: 

New l, k <— in P 

Contrary to the claim at the end of [25, p. 158], the Tennent model (and also 
the Tennent-O'Hearn model) does satisfy this equivalence— without additional 
constraints on command meanings. A discussion of this equality appears in [13, 
§5, Example 1], the bulk of the justification being a proof of our Lemma 13. 

Example 2 The block below always diverges. 

begin 

new x; 

x :=0; 

p. % P is declared elsewhere 

if contents(x) — then diverge fi 

end 

The translation of this block into EoA would be something like: 



New i, k <— in 

p- % P is declared elsewhere 

IFexp exp («: = 0) diverge skip 

This Example is not explicitly discussed in [13], but it is quite simple to 
prove. Specifically, let C be the above EoA command. We show for arbitrary 
worlds X and Y, environments u G Env(X), morphisms f : X —>Y and states 
y £Y, that \C~\Xufy is undefined. Let p - u(P). Since xN;/ x N = /; xN, 
we have p(xN; / x N) = p(f; xN). Suppose that p(f; xN)(y.O), is defined, say 
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it is y'.n. We must show that n is 0. Let Y' = Y x {0}. By the uniformity 
condition on elements of [comm]: 



S([Y');p(/; xN) (t/.O) = p(/; xN; \Y');S(\Y') \y.0. 



Any state which is equal to the right hand side must lie in the set Y' . Thus, 
y'.n is of the form y'.Q, and so n — 0. ■ 

Example 3 The blocks 

begin new x; new y; x := 0; y := 0; Q(x, y) end 

onrf 

begin new x; new j/; x := 0;y := 0;Q(y, x) end 

are equivalent. 

The EoA version of the first block is: 

Newti, «i <- 0in(Newt 2 , *2 <- in Q(ti)(/ci)(t 2 )(«2)) 
The EoA version of the second block is: 

Newii, «i <- 0in(New/. 2 , «2 *- in <3(t 2 )(K2)(ti)(«i)) 

where Q is an identifier of type ace — ► exp -+ ace -* exp — >■ comm. This 
equality was also discussed in [13, §5, Example 2]. They say: "The equivalence 
can be shown by a straightforward calculation using an endomorphism that 
exchanges the two N- valued components in a world of the form X x N x N, thus 
exchanging the declared variables." Properly using this endomorphism will 
require repeatedly moving it across the commutativity conditions required by 
the functor =>. We then observe that this endomorphism is also an isomorphism 
in the category of possible worlds, thus we can use Lemma 13 to move the 
endomorphism across the command. ■ 

Example 4 The block below always diverges. 

begin 

new x\ new y; 

procedure Twice; begin y := 2* contents(y) end; 

x :=0; y := 

Q(Twice); % Q is declared elsewhere 

if contents(x) = then diverge R 
end 
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For the translation of this block into EoA, we beta-reduce the desugared version 
of the procedure declaration to get: 

New l\,ki <— in 
New i 2 , K 2 <— in 
Q(i2 (2 * « 2 )) ; 
IFexp comm (/c 1 = 0) diverge skip 

This example is more complicated than the earlier ones, and is not specif- 
ically addressed in [13], but it is easily handled using the methods developed 
there. Specifically it is handled by the semantic definition of non-interference 
(#) which they give in Section 3. One merely needs to formalize the usual 
intuition. We have the following: 

Q#Ki (since Q is non-local) 

t 2 (2 * k 2 )#ki (obvious) 

QM2*K 2 ))#K! 

where the last step comes from the semantic version of the following "procedure- 
call law": if C : 9 — 0' and an identifier c is not free in C or E then C#E => 
(\/c:6.c#E — > C(c)#E). From this we can conclude that after the execution of 
Q(i 2 (2 * k 2 )) the value of «i is unchanged, namely 0. ■ 

Example 5 The block below always diverges. 



begin 

new x; 

procedure Add.2; %Add_2 is the ability io add 2 to x 

begin x := contents(x) + 2 end 
x :=0; 

Q(Add-2); % Q is declared elsewhere 

if contents(x) mod 2 = then diverge fi 
end 

For the translation of this block into EoA we again beta-reduce the desugared 
version of the procedure declaration getting: 

New t, k «— in 
Q(l{k + 2)); 
IFexp exp («; mod 2 = 0) diverge skip 

O'Hearn and Tennent also discuss this example in [13, §6]. Their argument 
uses specification logic, rather than a direct semantic proof. Moreover, their 
argument relies on the principle of non-interference abstraction. Whether or not 
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this principle is sound for the Tennent model is an open question. The O'Hearn- 
Tennent model was introduced specifically to overcome this shortcoming. There 
does, however, exist a semantic proof of this equality for the original Tennent 
model. Furthermore, the reasoning carries over directly to the O'Hearn-Tennent 
model. To see how to prove this in the Tennent model, we make the informal 
observation that 

Q(i(/e + 2))#(/cmod2). 

The additional constraint on elements of [comm], requires the equivalence class 
component of the endomorphism [k mod 2] must be respected by [Q(t (k + 2))]. 
Thus the resulting state (if any) of Q(i (k + 1)) must have the same value of 
(k mod 2) as the initial state. B 

As we discuss in the next Section, there is a slight perturbation of the above 
block whose divergence (in the Tennent model) is an open question. 

Example 6 The block 



begin 

new x; 

procedure AlmostAdd-2; 

begin if z = x then x := 1 else x : = contents(x) + 2 fi end 

x :=0; 

Q(Add.2); % Q is declared elsewhere 

if contents(x) mod 2 = then diverge h 
end 

always diverges. 

A test for equality of locations is not a part of EoA, nor is it possible to simulate 
such a test in EoA. Therefore Example 6 is not relevant to EoA. 

Example 7 The block 

begin new x; procedure AddA\ begin x := Contents(x) + 1 end; 

P(Ad(U) end 

is observationally congruent to the block 

begin new x; procedure Add-2; begin x :- Contents(x) + 2 end; 

P{Add_2) end. 

The desugared EoA encodings of these blocks are: 

New i, k <- Qm(\AddA.P{Add-l))(i(K+l)) 

and 

New i, k «- in (XAdd.2. P{AddJ2)){i (k + 2)). 
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To see why this equality holds, we let V = N and V - {n £ N | n is even}. 
Given any world X, we can define a W-isomorphism (i,T Xx v l ) '• X x V — > 
X x V, where i(x.n) = x.(2n), and T XxV > is the universally true binary 
relation on X x V. As with the argument for Example 5, we know that 
P(Add3)#Parity(K), thus the behavior of P{AddJ2) in world X x V com- 
pletely projects into its behavior on states of the form x.2n in world X x V. In 
other words, for the u that arises in interpreting the second block, we have: 

{P(AddJ2)}(X x V)(u){id X xv){x.n) = [P{AddJi)\(X x V){u 2 )){id Xx v-)(x.n) 

where u 2 = Env([(X x V'))u. From this we need to show: 

{P(AddA)i(X x V)(ui){id XxV )(x.n) = {P(AddJ2)J(X x V)(u 2 )(id Xx v)(x.2n) 

using 

ui(P) = [comm— ► comm](x% = pi 

u 2 (P) = [comm- + comml(xN;[(X x V')) = p 2 

ci = ui(AddA) 

c 2 = u 2 {AddJl). 

It is sufficient to prove the following equality, which follows via an argument 
analogous to that for Example 3, using the isomorphism (i,Tx x v)- 

P ( id xN) (ci)(idjrxv)(*.n) = P (id x N ; r(;rxi")) (c 2 )(id XxV .)(x.2n) 

U 

There is one other example of an equivalence which the Tennent model 
satisfies, which is interesting[13, §5, Example 3]. This does not appear as one 
of the Meyer-Sieber examples, and Sieber claims that this example fails in the 
Meyer-Sieber model. It is essentially 

Example 8 The following blocks are equivalent: 

begin 

new x; 

x:=l; 

P(x); % P is declared elsewhere 

end 



and 



P(l) 



Operationally, the idea is that P does not have write access to X, so that 
whenever x is evaluated as part of the call P(x), x must produce 1. 
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5.3 Failure of Full Abstraction 

The fact that the Tennent and O'Hearn-Tennent models correctly handle all 
of the relevant Meyer-Sieber examples demonstrates the substantial power of 
these models. Looking at these examples alone, however, is quite misleading. 
There are slight perturbations of the Meyer-Sieber examples which the Tennent 
or O'Hearn-Tennent models do not handle (or where their performance is an 
open problem). Furthermore, there is a simple example which the Meyer-Sieber 
model (and most other models) handles but the Tennent and O'Hearn-Tennent 
models do not. 

We start with the Example due to O'Hearn [13] which first showed the failure 
of full abstraction (for both the Tennent and O'Hearn-Tennent models) [13]. 

Example 9 The block 

begin new x; P(skip) end 

is observationally congruent to the block 

begin new x; procedure Adi-1; begin x := Contents(x) + 1 end; 

P(Add.l) end. 

This is just a slight perturbation of Example 7. Intuitively the Tennent and 
O'Hearn Tennent models fail because even though P does not have complete 
access to x from Add.l, P can check whether or not Add-1 has a side-effect on 
x. Specifically, they let p G [comm^comm]! be defined as follows: for any 
/ : X^Y, c G [comm], g : Y^Z, and s G S(Z), 

_ ( s if cgs = s, 

PJ C 9 S — ^ undefined, otherwise. 

p(id x )(lsk\p}Xu)(id x )(s) = s, 

p(xN) [{x :=x+ 1](X x N)(u')) (idxx v )(s.O) 

is undefined, where u and u' are the appropriate non-local and local environ- 
ments, respectively. ■ 

From O'Hearn's counterexample to full abstraction, we manage to construct 
an example which is handled by most other models, but neither the Tennent 
model nor the O'Hearn-Tennent model handle. 

Example 10 The block 

begin new x; P(x := x + 1; x :— x + 1) end 
is observationally congruent to the block 
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Then 
whereas 



begin new x; P(x ~ x + 2) end 

Intuitively, this failure is because these models are sensitive to intermediate 
states encountered during program execution. Specifically, we modify the proof 
for the preceding example and take instead 

pfcgs = c(g;\{z,c(g)z})z. 

Then we have 

p(xN)([x := x + 2}(X x N)(u))(id Xx v)(*.0) = s.2 

whereas 

p(xN)([x :=x+l;x:=x+ 1}(X x N)(u))(id Xx y)(s.O) 

is undefined, where u is the appropriate local environment. ■ 

Finally, we have a perturbation of Example 5 which is handled by the 
O'Hearn-Tennent model, but whether or not the Tennent model handles is it 
an open problem. 

Example 11 The block below always diverges. 

begin 

new x\ 

procedure Add.2; %Add.2 is the ability to add 2 to x 
begin x :=contents(x) + 1; x :=contents(x) + 1; end 

x :=0; 

Q(Add-2); % Q is declared elsewhere 

if contents(x) mod 2 = then diverge fi 
end 

O'Hearn and Tennent justified this example by showing that the O'Hearn- 
Tennent model satisfies a principle called "Non-Interference Abstraction," which 
has the following as a special case 

P#Rk {R}C{R} =» {R}P(C){R}. 

In English, this says that if P does not interfere with property R and property R 
is preserved by C, then property R is preserved by the call P(C). This principle 
is sufficient to justify the above Example. ■ 

It is an open problem as to whether or not the Tennent model satisfies the 
principle of Non-interference Abstraction. It is also an open problem as to 
whether or not the Tennent model and the O'Hearn-Tennent model have the 
same equational theories. Furthermore, in the event that the equational theories 
differ, it is not obvious whether one must be stronger than the other, or if they 
could be incomparable. 
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Chapter 6 

Conclusion 



We have given the first complete exposition of a Structured Operational Se- 
mantics for an ALGOL-like language, and have shown that the Tennent and 
O'Hearn-Tennent functor category models are adequate with respect to this 
semantics. As the Tennent and O'Hearn-Tennent models were themselves de- 
signed to provide a model of Reynolds's Specification Logic [22], the adequacy 
result of this thesis can be taken to be an adequacy result for Specification Logic. 
Thus this thesis provides a concrete connection between Specification Logic and 
our operational understanding of how ALGOL-like code should behave. 

One novel feature used in defining the operational semantics is the handling 
of New-blocks. Specifically, the use of the initialization for the new variable and 
the rule (New-eval) seemed to make the technical work in the Adequacy proof 
flow cleanly. 

Having established the adequacy of these models, the next question to ask 
is "Are they fully-abstract?" Section 5.3 shows that they are not. Another 
reasonable question to ask is how close do they come? In other words, what 
"partial full-abstraction" results hold. For example, the model is fully abstract 
for the equational theory of EoA commands with free identifiers restricted to 
be of type exp or comm. On the other hand, the counterexamples of Section 5.3 
reflect a failure of full abstraction for the equational theory of EoA terms with 
free identifiers restricted to be of type comm — ► comm or below. Related to 
lower-order full abstraction results are "half-full abstraction" results. Specifi- 
cally, for what collection of C (if any) is the model fully abstract for equalities 
of the form C = P where P is a program? What about when P is a closed 
command? 

Aside from taxonomy, the natural question is to ask as to whether or not 
we can "repair" these models so as to either achieve full abstraction, or at 
least come closer to it. It might be possible to obtain models with equational 
theories closer to full abstraction by perturbing the model in subtle ways. The 
generalization of the adequacy proof given in Section 4.3 provides some loose 
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